[Catalyst] Taint mode ->FormFu -> Insecure dependency

Carl Franks fireartist at gmail.com
Tue Sep 13 13:12:25 GMT 2011 

On 13 September 2011 13:25, Stefan <catalyst at s.profanter.me> wrote:
> Hi,
>
> I’m using Catalyst with FormFu in Apach2 and have switched on the taint mode
> in Apache config:
>
>
>
> PerlTaintCheck on
>
>
>
> Pages without a form are working without problems.
>
>
>
> Now I have a simple contact form created with FormFu which works fine in
> Catalyst Development Server.
>
>
>
> But in Apache I get the following error:
>
> [error] Caught exception in MyApp::Controller::Contact->index "Insecure
> dependency in require while running with -T switch at
> /usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 371.
>
> at /usr/local/share/perl/5.10.1/HTML/FormFu/Role/CreateChildren.pm line 136
>
> at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179"
>
>
>
> Now I’ve modified the Util.pm so that I get a more detailed view on the
> tainted variable:
>
>     if ( !exists $::INC{$class} ) {
>                #Added by myself:
>
> if (tainted($class))
>
> {
>
> die "This require is tainted: " . $class;
>
> }
>
> eval { require $class };     #This is line 371
>                …
>
>
>
> Now I get the following error message:
>
> [error] Caught exception in MyApp::Controller::Contact->index "This require
> is tainted: HTML/FormFu/Element/Select.pm at
> /usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 376.
>
> at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179"
>
>
>
> I think, the problem is, that FormFu reads the .yml file and determines
> which Modules to ‘require’. Due to the require value is read from a file, I
> get an Insecure Dependency Error.
>
>
>
> One solution is to disable TaintMode, but I think this isn’t recommended.

I gave up using Taint several years ago, due to a number of Catalyst's
dependencies being incompatable (I can't remember which, now).

I'd be surprised if this is the only error you run into.
I'd recommend not just trying to switch TaintMode on under apache -
instead, if your application has a comprehensive test suite, run it
with Taint on - otherwise, completely reinstall all the cpan modules
you've already installed - this time with Taint mode forced on under
the install / test harness.
This will reduce the likelihood of you randomly hitting errors at runtime.

Carl

More information about the Catalyst mailing list