[Petal] More on taint issues with Petal 1.10_xx
Kurt Stephens
kstep at pepsdesign.com
Thu Oct 16 21:17:19 BST 2003
> At any rate, I ran up against the splitpath error (which is what
> prompted my whole thread about taint problems in 1.10_0x) while using
> Safe in an unrelated package. I was able to track down the error to
> the die sub in CGI::Carp which in turn calls a function named id() that
> uses splitpath.
Very interesting. I had a problem with Petal-1.10_05 failing the 027_Eval
test while installing on my Win2K box with ActiveState Perl 5.8.0. It seems
like a problem with Carp.pm refusing to die properly when run in a Safe
compartment. This causes the <?eval?>...<?endeval?> construct and the
petal:on-error attribute to fail when $Petal::TAINT is on. I ran some tests
based on the cached template code generated by Petal and using similar code
that did not use Petal at all, with the same results. It appears that there
is a problem when the code croaks or confesses in the Safe compartment. I
still have not figured out whether this is due to improper $SIG{__DIE__}
handling or whether $@ is being localized and never returned outside of the
Safe compartment. Again, this looks like a problem with the interaction
between Carp and Safe, rather than a bug in Petal.
Cheers,
Kurt Stephens
More information about the Petal
mailing list