5

When running a perl CGI script in taint mode, I get an error of the form...

Insecure dependency in some_function while running with -T switch at (eval some_line) line some_other_line.
Compilation failed in require at my-script.cgi line 39.
BEGIN failed--compilation aborted at my-script.cgi line 39.

my-script.cgi line 39 is a use statement for a perl module which does not itself use eval or some_function, but presumably uses another library which does. The some_line and some_other_line line numbers don't seem to make sense in either my-script.cgi or the library which is 'use'd on line 39 of my-script.cgi.

Given this error, how can I track down where the taint error is occurring?

I've tried setting a new die signal handler which should print a stack trace, i.e.

$SIG{ __DIE__ } = sub { require Carp; Carp::confess(@_); };

but this seems to have no effect on the error. Perhaps this is the wrong signal to be trapping, not happening early enough, or something more complex is required.

Matt Sheppard
  • 111,039
  • 46
  • 105
  • 128
  • 3
    By slowly moving a die statement around I managed to narrow down the problem enough to find that a bug in CGI.pm was the underlying cause of the specific problem I was running into - http://www.nntp.perl.org/group/perl.perl5.porters/2008/01/msg133691.html I'd still be very interested in a general way of tracking this kind of problem down though. – Matt Sheppard Jun 15 '11 at 05:28
  • 1
    And this is why people *should* be using CGI.pm for CGI (as opposed to just 'doing it yourself'). Bugs are found through the stress test of thousands of users (like you), reported, and fixed. Good job on finding the problem too. – DavidO Jun 15 '11 at 05:39

2 Answers2

4

Carp::Always works fine with exceptions raised by taint checks. Example output:

$ perl -MCarp::Always -T blah.pl
Insecure dependency in sprintf while running with -T switch at blah.pl line 6
        main::foo() called at blah.pl line 8
        main::bar() called at blah.pl line 10
daxim
  • 38,078
  • 4
  • 57
  • 123
  • Looks like a nice plan, but I couldn't get it to work. Adding `-I the_carp_always_install_location -MCarp::Always` to the perl invocation for the CGI seemed to have no effect. Possibly it would work correctly running it directly on the command line as you showed, but since the error is being triggered by POSTing a file file upload, I'd have to work out how to simulate that from the command line. – Matt Sheppard Jun 16 '11 at 06:07
  • That looks handy, but unless I'm missing something it doesn't say how to fake a file upload, just normal POST parameters (unless there's some way I'm not aware of to send a POST parameter which is actually a file upload). Looks like this thread might get me some of the way though - http://www.perlmonks.org/?node_id=667813 – Matt Sheppard Jun 20 '11 at 05:46
2

I use Devel::SimpleTrace a lot these days for debugging and it recently helped me find a taint bug when using Archive::Zip.

However, I don't know if it would have worked in your case since it is essentially setting the same sig handler that you used.

jmcnamara
  • 29,085
  • 5
  • 64
  • 80