[Petal] Petal::TAINT problems under Apache::Registry

William McKee william at knowmad.com
Tue Oct 7 20:18:13 BST 2003


On Tue, Oct 07, 2003 at 11:37:16AM +0100, Jean-Michel Hiver wrote:
> On a side note, I'm wondering about this TAINT business altogether. I
> have made a little experiment:
> 
> In _code_memory_cached, I have removed all TAINT related logic. I then
> ran all the tests in the test suite running perl -Tw. And all tests
> pass!
> 
> So one question is: what is it in your scripts that make Petal think its
> input is unsafe? Where does it come from?

Actually, I tried a similar test and had no taint errors from Perl. This
makes me think that something has changed in the way that you are
retrieving the file from the disk which makes Perl no longer consider it
to be tainted. Do you canonicalize it before sending it be eval'ed? That
may be sufficient to remove the taint flag which allows it to work
outside of a Safe compartment.


> Another question in my mind is: How come your scripts run fine with
> Petal 1.06 since I didn't change any of the taintmode logic that you
> submitted?

That's a good question which I was asking myself last night. I just
don't know. Is the code being eval'd any different now that there is are
new Parsers?

That question made me test again with Petal::Parser::HTB. Ahha, I got a
taint error because I kept taint checks enabled but turned off
$Petal::TAINT. So, there is something different about the way MKDoc::XML
is parsing and returning code vs. HTML::TreeBuilder. Any ideas?


> Also, why do we need to use the Safe module for taintmode? Again, on my
> system the test suite passes with Taintmode and with none of that TAINT
> / Safe logic enabled.

I think it's a good practice to use the Safe module when dealing with
external code. In this case of template files, the code on the system
isn't that suspect, it's the info being passed from the web that could
affect the template code in unexpected ways that concerns me. Just
because I'm paranoid doesn't mean they're not out to get me ;->.


William

-- 
Knowmad Services Inc.
http://www.knowmad.com


More information about the Petal mailing list