RE: "Insecure dependency in eval while running setgid" error

[<suppressed>]

Hi Rob,

Thanks for your response.

> -----Original Message-----
> From: Robert Landrum [mailto:suppressed 
> Sent: 28 March 2007 18:06
> To: Perrin Harkins
> Cc: Shah, Sagar: IT (LDN); suppressed
> Subject: Re: "Insecure dependency in eval while running setgid" error
> 
> Perrin Harkins wrote:
> > On 3/28/07, suppressed
> > <suppressed> wrote:
> >> > Keep taint mode on in dev, so you can identify your issues in
> >> > development, then turn in off in prod.
> >>
> >> Is that actually the generally recommended approach?
> > 
> > It's hard to know for sure that you've tried every code path in dev,
> > even if you do use coverage analysis.
> > 
> 
> Here's the bit that's causing the issue...
> 
>          # DON'T LOOK NOW! - blindly untainting can make you go blind!
>          $block =~ /(.*)/s;
>          $block = $1;
> 
>          $block = eval $block;
> 
> That's a little bit nasty, but perfectly valid.  $block is 
> coming from a 
> document containing some sort of code, I think.  I didn't dig 
> too deep.

Yup, included that fragment in my original mail.  That should be
untainting everything, although I guess it's only untainting the "string
of the code" and the code could throw a taint error itself when eval
runs it.  I only have three templates and these are loaded the vast
majority of the time without causing any issue at all....   Also the
fact that I've seen the same error from other evals ni the code such as
eval "use $module;"  it still makes me think it's got more to do with
the interpreter state between calls.

> You could add:
> 
>           warn "BLOCK: $block\n";
> 
> just above the eval, which will log all the "blocks" that are 
> being eval 
> to figure out which one is giving you the trouble.

That's a useful suggestion, I'll give that a try. What I'm expecting to
find is that the $block that causes the error is identical to previous
$block values which don't cause an error, but this will be a good thing
to actually prove.

Thanks very much.

> 
> Rob
> 
> 
------------------------------------------------------------------------
For more information about Barclays Capital, please visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message.  Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.  Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group.  Replies to this email may be monitored by the Barclays Group for operational or business reasons.
------------------------------------------------------------------------