[rt-users] Re: Insecure dependency with FastCGI

michael.firestone michael.firestone at rule-of-ten.com
Mon Nov 17 09:48:59 EST 2003


I have seen this symptom in other contexts.  Simply put, File::Path does not 
play well with taint mode.  In your case, the $path variable in the mkdir() 
call is considered tainted.  The only way around this I have ever found was 
to create File::PathTaint which is a copy of File::Path, but includes some 
really unpleasant taint cleaning ( usually something along the lines of:
 my $clean_path; 

 $clean_path = $1 if ( $path =~ /^(.+)$/;
 $path = $clean_path; 

Yes, I know.  It completely circumvents the idea of taint checking.  But it 
fixed the problem :) 

Mik 

Hanno Mueller writes: 

> Hanno Mueller wrote: 
> 
>> I'm trying to install RT on a Debian Stable box. Since Debian doesn't
>> come with Perl 5.8 yet, I compiled my own 5.8.2. It runs Apache 1.3.26
>> with FastCGI. 
>> 
>> 
>> I followed all the installation instructions for RT.
> 
> [..] 
> 
>> I'm a bit stuck and the mailing list doesn't mention this problem for
>> recent versions. Yet, I cannot use RT with mod_perl on this particular
>> server. 
>> 
>> Any suggestions?
> 
> I also tried to run 3.0.7 RC1 on the same box, no luck. Again, Perl 
> complains about the mkdir() call. 
> 
> I've tried to untaint the CGI variables, but actually, I don't want to 
> hunt for the symptom until I actually know the cause. 
> 
> 
> Is anyone else running RT 3.0.6 as a CGI or as a FastCGI? I cannot install 
> mod_perl on this server, so any help is greatly appreciated. 
> 
> Thanks, 
> 
> Hanno 
> 
> 
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users 
> 
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
 


Mik Firestone
Vice Principal
Rule of Ten, Inc. 



More information about the rt-users mailing list