Note: please don't spam any of the e-mail addresses which you see here. Follow this link if you want some addresses to misuse.
From: Ken Tindle <ktindle@uky.edu> Date: 28 May 2003 18:02:18 -0400 Subject: PPR: RH9 breaks PPR web admin Well, David, the Perl developers have done it again! The strong (-T vs. -t) taint checking will barf /usr/lib/ppr/lib/cgi_run.pl in the latest release of Red Hat Linux. We went round with something like this before- stuff like CDPATH in the environment when Perl 5.6 first appeared. New in Red Hat Linux 9 is a new rev of Perl, which RH calls out as 5.8.0-88. Note the "88", which is an RPM build number. When running cgi-bin/show_queues.cgi, you are able to choose "Show Queue" from the popup menu of a print queue. You can see all jobs pending. If you would select a job, then click "Release" or "Cancel", you would see: ppop not ready insecure dependency in exec while running with -T switch at /usr/lib/perl5/5.8.0/IPC/Open3.pm line 230 Red Hat is using the IPC::Open3 v1.0104 module for exec now. If you click the "Modify" button, then the "Log" tab, you note that the same error as above is logged, but it is actually lib/cgi_run.pl barfing on line 128. This line is the actual exec statement, of course. /usr/bin/ppop is actually a sym link to the real ELF32 executable file. Could it be that Perl no longer enjoys exec on a sym link? I note that the lower case -t switch is around now. Haven't tried this yet. It is 'relaxed' taint checking. Note that pulling the -T switch off of the server itself has no effect on this. ppr-httpd still works with -T! But cgi stuff written in Perl that calls ppop or ppad WILL blow up on Red Hat Linux 9. It wasn't enough to take the taint switch off the she-bang line on every script that had a 'require cgi_run' statement. I had to pull the -T off ALL the files in /usr/lib/ppr/cgi-bin to restore operation. I'm not enough of a "Perl guy" to know why IPC is pissed. But it's a problem. Cheers.