[Catalyst] Taint mode ->FormFu -> Insecure dependency

Stefan catalyst at s.profanter.me
Tue Sep 13 12:25:32 GMT 2011


I'm using Catalyst with FormFu in Apach2 and have switched on the taint mode
in Apache config:


PerlTaintCheck on


Pages without a form are working without problems.


Now I have a simple contact form created with FormFu which works fine in
Catalyst Development Server.


But in Apache I get the following error:

[error] Caught exception in MyApp::Controller::Contact->index "Insecure
dependency in require while running with -T switch at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 371.

at /usr/local/share/perl/5.10.1/HTML/FormFu/Role/CreateChildren.pm line 136

at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179"


Now I've modified the Util.pm so that I get a more detailed view on the
tainted variable:

    if ( !exists $::INC{$class} ) {
               #Added by myself:

if (tainted($class))


die "This require is tainted: " . $class;


eval { require $class };     #This is line 371


Now I get the following error message:

[error] Caught exception in MyApp::Controller::Contact->index "This require
is tainted: HTML/FormFu/Element/Select.pm at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 376.

at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179"


I think, the problem is, that FormFu reads the .yml file and determines
which Modules to 'require'. Due to the require value is read from a file, I
get an Insecure Dependency Error.


One solution is to disable TaintMode, but I think this isn't recommended.


How can I solve this problem?


Sorry for my recently flood of questions but I can't find a solution by

Thanks a lot for your help!!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110913/9e6e806a/attachment.htm

More information about the Catalyst mailing list