| Date: | Tue, 6 May 2003 10:18:33 +0100 |
| From: | Graham Barr <gbarr [...] pobox.com> |
| To: | bug-perl-ldap [...] rt.cpan.org |
| Subject: | [Fwd] Re: Insecure dependency in perl-ldap 0.21+ |
----- Forwarded message from Ziya Suzen <ziya@ripe.net> -----
Date: Thu, 9 Jan 2003 14:27:50 +0100
To: Graham Barr <gbarr@pobox.com>, Chris Ridd <chrisridd@mac.com>,
perl-ldap-dev@lists.sourceforge.net
From: Ziya Suzen <ziya@ripe.net>
Subject: Re: Insecure dependency in perl-ldap 0.21+
Show quoted text
> It looks fine to me. I am intrigued why this fixes the problem though
> as it changes little.
In Net::LDAP::Message::error() $self->server_error returns
$self->{errorMessage} which is considered tainted by Perl 5.6.0 but
not 5.8.0.
Is $self->{errorMessage} set anywhere else then set_error()? by
Convert::ASN1?
Maybe its not a real big deal since with 5.8.0 it seems to be working
fine (Altho I haven't upgraded the production to 5.8 yet, where I get
this Taint errors now and then).
The patch I sent is actually a work around kind of thing. According to
Perl issue 17867:
http://archive.develooper.com/perl5-porters@perl.org/msg87991.html
Show quoted text>From that article:
$ perl -Tle '$cmd="print q(foo)";$cmd.=".q(bar)" if pop; eval $cmd' foo
Insecure dependency in eval while running with -T switch at -e line 1.
$ perl -Tle '$cmd="print q(foo)";if(pop){$cmd.=".q(bar)"} eval $cmd' foo
foobar
Cheers,
Ziya.
Show quoted text----- End forwarded message -----