[Petal] More on taint issues with Petal 1.10_xx

[William McKee]

Ok I see that I've either overwhelmed you with information, bored you to
tears, or noone thinks there is a security issue with eval'ing external
templates.

At any rate, I ran up against the splitpath error (which is what
prompted my whole thread about taint problems in 1.10_0x) while using
Safe in an unrelated package. I was able to track down the error to
the die sub in CGI::Carp which in turn calls a function named id() that
uses splitpath. I dunno why die was being called but simply commenting
out the use of this module fixed my error! Furthermore, File::Spec was
being properly use'd at the beginning of the file so I don't know why
Perl was complaining about it.

Nonetheless, by not using this module, I did not get the error. I was
even able to create a test script that demonstrated the problem. Using
this script, I was eventually able to correct the error. Unfortunately,
I don't have a clue as to what changed and cannot repeat the error
unless I set the input string to undef.

This success with fixing Safe in another module gave me hope that I
could get it working in Petal. So I went back to my Petal tests to see
if I could fix the taint problems there. Sure enough, I was able to now
run Petal with taintmode enabled ('PerlTaintCheck On' in httpd.conf and
$Petal::TAINT=1) without any errors from CGI::Carp.

So, am I the only one that has had taint problems? Is anyone else using
taint (I'm guessing not based on the lack of responses to my posts about
this issue)? I'd like to suggest that TAINT be reenabled in Petal since
the problem appears to be not with Petal but rather with an external
module. I'll continue to monitor the situation as I use taint checks on
my development server.

Thanks,
William

-- 
Knowmad Services Inc.
http://www.knowmad.com