[rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch

Kim Pedersen lists at kimp.org
Tue Jan 18 09:15:37 EST 2011 

Hi Josh,

Thanks for your input - I've just about come to the same point as well, 
but don't know how to "fix" either :-/


Kim



        When the taint mode ("-T") is in effect, the "." directory is 
removed
        from @INC, and the environment variables "PERL5LIB" and 
"PERLLIB" are
        ignored by Perl. You can still adjust @INC from outside the 
program by
        using the "-I" command line option as explained in perlrun. The two
        environment variables are ignored because they are obscured, and 
a user
        running a program could be unaware that they are set, whereas 
the "-I"
        option is clearly visible and therefore permitted.

        Another way to modify @INC without modifying the program, is to 
use the
        "lib" pragma, e.g.:

          perl -Mlib=/foo program

        The benefit of using "-Mlib=/foo" over "-I/foo", is that the former
        will automagically remove any duplicated directories, while the 
later
        will not.

        Note that if a tainted string is added to @INC, the following 
problem
        will be reported:

          Insecure dependency in require while running with -T switch

    ESC[1mCleaning Up Your PathESC[0m
        For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} 
to a
        known value, and each directory in the path must be absolute and 
non-
        writable by others than its owner and group.  You may be 
surprised to
        get this message even if the pathname to your executable is fully
        qualified.  This is ESC[4mnotESC[24m generated because you 
didn't supply a full path
        to the program; instead, it's generated because you never set 
your PATH
        environment variable, or you didn't set it to something that was 
safe.
        Because Perl can't guarantee that the executable in question isn't
        itself going to turn around and execute some other program that is
        dependent on your PATH, it makes sure you set the PATH.



On 2011-01-18 09:47, Josh Narins wrote:
>  From what I understand of Taint (-T) mode, this has nothing to do with directory permissions, and everything to do with trying to chdir to a variable (representing a directory) that has been marked as being unsafe, i.e. from user input.
>
> See "perldoc perldiag" to find the error message, which then leads you to "perldoc perlsec" for more about taint mode.
>
> That said, I don't know, inside RT, the appropriate way to deal with this.
>
>
>
> Josh Narins
> Director of Application Development
> SeniorBridge
> 845 Third Ave
> 7th Floor
> New York, NY 10022
> Tel: (212) 994-6194
> Mobile: (917) 488-6248
> Fax: (212) 994-4260
> jnarins at seniorbridge.com
>
> SeniorBridge
> Managing Complex Chronic Care
> http://www.seniorbridge.com
>
>
> SeniorBridge Statement of Confidentiality: The contents of this email message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. Any dissemination, distribution or copying of this email by an unintended or mistaken recipient is strictly prohibited. In said event, kindly reply to the sender and destroy all entries of this message and any attachments from your system. Thank you.-----Original Message-----
>> Fr

More information about the rt-users mailing list