Ok, the date issue I can solve using the built in date functionality.
The second issue, I am trying to see if the data is untainted by using
my $err_file = $ENV{"SLS_LOG_PATH"} . "/drivererror" . $rt_id ..
".err";
if ($err_file =~ /^([EMAIL PROTECTED])$/) {
$err_file = $1; # $err_file now untainted
} else {
die "Bad data in '$err_file'"; # log this somewhere
}
But this falls into the else section and the message
Bad data in '/var/appl/sls/log/drivererror1757.err' at
/var/appl/sls/bin/driver.pl line 1256
gets printed out.
According to the documention, this should clear up the issue, but I am
unsuccessful so far.
Chris
-----------------------------------------------
Just Your Friendly Neighborhood
_SPIDEY_
> -----Original Message-----
> From: Wiggins d'Anconia [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 09, 2005 11:20 AM
> To: Tantalo, Christopher G
> Cc: beginners-cgi@perl.org
> Subject: Re: Insecure setuid?
>
> Tantalo, Christopher G wrote:
> > Can anyone shed some light on what this error means?
> > Insecure $ENV{PATH} while running setuid at
> > /var/appl/sls/bin/driver.pl line 1104.
> > Line 1104 is
> > print `date`;
> >
>
> You shouldn't shell out to date anyways, especially in the
> above manner with no error checking, etc. Perl has builtin
> functions for collecting date information.
>
> > If I comment this out, then the following error message appears:
> > Insecure dependency in open while running setuid at
> > /var/appl/sls/bin/driver.pl line 1249.
> > Line 1249 is
> > my $err_file = $ENV{"SLS_LOG_PATH"} .
> "/drivererror" . $rt_id ..
> > ".err";
> > actually 1249 ---> open(ERR_FILE,">>$err_file") ||die
> "cannot open
> > $err_file for reading:$!";
> >
> > Not sure what insecure warnings mean in terms of setuid.
> Any answer
> > would be much appreciated.
> > Thanks
> > Chris
>
> Because you are running setuid the taint mechanism is on. See,
>
> perldoc perlsec
>
> For more info. Whenever you have an error/warning you don't
> understand that was thrown by Perl you can find more info in:
>
> perldoc perldiag
>
> HTH,
>
> http://danconia.org
>
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
>
>
>
-----------------------------------------
The information contained in this message may be privileged,
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or any employee or agent
responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.
Thank you. Paychex, Inc.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
