[Catalyst] Taint mode ->FormFu -> Insecure dependency
Stefan
catalyst at s.profanter.me
Tue Sep 13 12:25:32 GMT 2011
Hi,
I'm using Catalyst with FormFu in Apach2 and have switched on the taint mode
in Apache config:
PerlTaintCheck on
Pages without a form are working without problems.
Now I have a simple contact form created with FormFu which works fine in
Catalyst Development Server.
But in Apache I get the following error:
[error] Caught exception in MyApp::Controller::Contact->index "Insecure
dependency in require while running with -T switch at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 371.
at /usr/local/share/perl/5.10.1/HTML/FormFu/Role/CreateChildren.pm line 136
at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179"
Now I've modified the Util.pm so that I get a more detailed view on the
tainted variable:
if ( !exists $::INC{$class} ) {
#Added by myself:
if (tainted($class))
{
die "This require is tainted: " . $class;
}
eval { require $class }; #This is line 371
.
Now I get the following error message:
[error] Caught exception in MyApp::Controller::Contact->index "This require
is tainted: HTML/FormFu/Element/Select.pm at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 376.
at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179"
I think, the problem is, that FormFu reads the .yml file and determines
which Modules to 'require'. Due to the require value is read from a file, I
get an Insecure Dependency Error.
One solution is to disable TaintMode, but I think this isn't recommended.
How can I solve this problem?
Sorry for my recently flood of questions but I can't find a solution by
googling.
Thanks a lot for your help!!
Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110913/9e6e806a/attachment.htm
More information about the Catalyst
mailing list