Subject: | Fatal taint error in CGI::Session::ErrorHandler |
Environment:
CGI::Session 4.41 # $Id: Session.pm 459 2009-03-21 02:00:17Z markstos $
Perl v5.10.0 built for i486-linux-gnu-thread-multi
Linux Ubuntu 8.10, kernel 2.6.27-23-xen
What happened:
I had a setup problem (database table didn't exist) when invoking
CGI::Session. Instead of reporting the error, a fault occurred within
CGI::Session.
The error message was: "Insecure dependency in sprintf while running
with -T switch at
/usr/local/share/perl/5.10.0/CGI/Session/ErrorHandler.pm line 45"
The problem occurred when I was running Perl 5.10.0. In Perl 5.8.8,
with the same code and different setup problems, the problem did not occur.
The likely explanation: newer Perls reject any tainted format argument
in sprintf:
http://search.cpan.org/~rgarcia/perl-5.9.5/pod/perl595delta.pod#Tainting_and_printf
http://www.nntp.perl.org/group/perl.perl5.porters/2008/01/msg133691.html
The following workaround allows execution to proceed with a blanket
untaint of the variable in question:
42a43,44
Show quoted text
> $message =~ m/^(.*)$/;
> $message = $1;
However, I did not examine the security implications of this workaround.