Hi all,
The site I develop (Apache 2.2.3, mod_perl 2.0.2 [perl 5.8.5], Mason 1.33)
runs with taint checking ("PerlSwitches -wT -I/www"). It's been working fine
for many months now, with my scripts happily untainting variables as
required.
In the last couple of weeks, all of a sudden I am seeing occasional and
sporadic "Insecure dependency in XXX while running setgid" errors all around
the site. Seemingly important things I've observed about the errors:
-they seem to start after the server's been running for a day or two;
restarting it makes them go away for a while
-inconsistent: after an occurence (which returns 500 to the client), simply
hitting reload in the browser gets the same request answered successfully
-not process dependent: the reload is successful whether the request hits the
same Apache child that previously had the error, or a different child
-nonsensical: one of the places I found it occurring is in a sysopen() using a
variable which was explicitly untainted in the preceding two lines of code
-not limited to any particular script; when they happen, they can be anywhere
in my code that taint checking matters
I've been doing a lot of development lately (in particular adding a CDBI based
system), but these errors are occurring in scripts that haven't been touched
in over a year.
After some investigation, all I've learned is that perl definitely does think
the variables are tainted (duh!). I'm afraid I have little idea of what to
do next. Any suggested courses of inquiry I could take up would be greatly
appreciated.
Regards,
Charlie
--
Charlie Katz
Harvard-Smithsonian Center for Astrophysics
[EMAIL PROTECTED]
