Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW

perl 5.8.4, IO::Socket, and taint checking

by thraxil (Prior)
on Jun 11, 2004 at 16:32 UTC ( #363466=perlquestion: print w/replies, xml ) Need Help??
thraxil has asked for the wisdom of the Perl Monks concerning the following question:

i recently upgraded an old redhat 7.2 box to perl 5.8.4 (from 5.8.0) and have encountered some weirdness with taint-checking and IO::Socket. here's the smallest test-case i could come up with:

i have the following XML file:

<?xml version="1.0"?> <settings> <base></base> </settings>

and the following perl:

#!/usr/bin/perl -wT use strict; use LWP::Simple; use XML::Simple; my $config = XML::Simple::XMLin("test.xml"); my $base = $config->{base}; if ($base =~ m{^(http://[\w\.\/\-]+)$}) { $base = $1; } else { print $base, " didn't match\n"; } print get("$base/index.html");

when i run it under perl 5.8.4, i get:

Insecure dependency in connect while running with -T switch at /usr/lo +cal/lib/perl5/5.8.4/i686-linux/IO/ line 114.

if i run it under 5.8.0, it works as expected.

so how on earth does it still consider $base to be tainted? it passes through the conditional without printing anything, so it certainly looks like it should be untainted.

if i don't get $base through XML::Simple, and instead just say $base = "", it works. if i don't do any string interpolation in the last line it works. ie, if i change the last line to just:

print get($base);

it works.

it looks like some Twiki users have encountered the same problem but haven't found any solution other than turning off taint-checking (which i don't consider a legitimate option on a public server).

so is this a perl bug, or am i missing something really stupid and obvious? can anyone else duplicate it?

Replies are listed 'Best First'.
Re: perl 5.8.4, IO::Socket, and taint checking
by Joost (Canon) on Jun 11, 2004 at 17:18 UTC
    This really looks like a perl bug to me:
    use use Scalar::Util qw(tainted); print "\$base is ",tainted($base) ? "" : "not ","tainted\n"; my $url = "$base/index.html"; print "\$url is ",tainted($url) ? "" : "not ","tainted\n"; print get($url); ___OUTPUT___ $base is not tainted $url is not tainted Insecure dependency in connect while running with -T switch at /usr/li +b/perl/5.8/IO/ line 114.

    While it works if you set $base to some hard-coded value...


    I also upgraded (from 5.8.0 to 5.8.3) so can anyone confirm if this also happens with a "clean" perl 5.8.3 + install ?
      I tested the same script under "perl, v5.8.3 built for i386-linux-thread-multi" which is from Mandrake 10.0's perl-base-5.8.3-5mdk. I did not see any errors like that.
Re: perl 5.8.4, IO::Socket, and taint checking
by driver8 (Scribe) on Jun 12, 2004 at 18:12 UTC
    I don't have much experience with taint checking, so I'm not sure, but that doesn't look quite right to me. If the $base doesn't pass the conditional, you are still using it in the 'print get("$base/index.html");' even though it's tainted. What if you move the get up inside the conditional? What if you do else 'die'? Does this still give the error:
    if ($base =~ m{^(http://[\w\.\/\-]+)$}) { $base = $1; print get("$base/index.html"); } else { die "$base didn't match\n"; }
Re: perl 5.8.4, IO::Socket, and taint checking
by Anonymous Monk on Aug 03, 2010 at 16:12 UTC
    Hi, I have encountered the same problem. I am using 5.8.8. Does anyone have a solution? Upendra
      This problem has reared its head in perl 5.14.2 on FreeBSD 8.3 in the execution of postgrey. Turning off taint checking makes the error go away.
      postgrey --inet=10023 --pidfile=/var/run/ \
      --user=postgrey --group=postgrey  --dbdir=/var/db/postgrey
      2013/03/27-08:53:46 postgrey (type Net::Server::Multiplex) starting! pid(45305)
      Resolved localhost:10023 to ::1:10023, IPv6
      Resolved localhost:10023 to ::1:10023, IPv6
      Resolved localhost:10023 to, IPv4
      Resolved localhost:10023 to, IPv4
      Duplicate configuration (TCP) on ::1:10023 with IPv6) - skipping
      Duplicate configuration (TCP) on with IPv4) - skipping
      Binding to TCP port 10023 on host ::1 with IPv6
      Insecure dependency in socket while running with -T switch at /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/ line 80.
      Is the bug in perl itself or in the perl modules it calls? All have been rebuilt and reinstalled from source in the past few days to ensure nothing was damaged or out of date. FWIW, it doesn't happen if you choose the unix domain socket but then you can't daemonize the process on the command line: you can add an & but you can't use the -d argument. Details:
      ===>   postgrey-1.34_4 depends on package: p5-Net-Server>=0 - found
      ===>   postgrey-1.34_4 depends on package: p5-IO-Multiplex>=0 - found
      ===>   postgrey-1.34_4 depends on package: p5-Parse-Syslog>=0 - found
      ===>   postgrey-1.34_4 depends on package: p5-BerkeleyDB>=0 - found
      ===>   postgrey-1.34_4 depends on package: p5-Net-DNS>=0 - found
      ===>   postgrey-1.34_4 depends on file: /usr/local/bin/perl5.14.2 - found
      make pretty-print-run-depends-list
      This port requires package(s) "db47- p5-BerkeleyDB-0.51 p5-Digest-HMAC-1.03 p5-IO-Multiplex-1.13 p5-IO-Socket-INET6-2.69 p5-Net-DNS-0.72 p5-Net-Server-2.007 p5-Parse-Syslog-1.10 p5-Socket6-0.23 perl-5.14.2_3" to run.
        FreeBSD bug filed against this here:

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://363466]
Approved by Happy-the-monk
Front-paged by mattriff
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (4)
As of 2017-03-25 18:35 GMT
Find Nodes?
    Voting Booth?
    Should Pluto Get Its Planethood Back?

    Results (312 votes). Check out past polls.