Note: please don't spam any of the e-mail addresses which you see here. Follow this link if you want some addresses to misuse.
From: Kenneth Tindle <ktindle@uky.edu> Date: Tue, 03 Jun 2003 14:51:09 -0400 Subject: PPR: PPOP.pm is tainted I seem to be talking to a dead list, but here goes. The taint problem in PPOP.pm is $PPOP_PATH. This is an installation variable, read from the file paths.ph. Since this file could be modified and thus affect what open2() is calling into memory, it is considered tainted by the newest flavor of Perl 5. The variable can be laundered, but that isn't really the core of this. Perl is right. The methodology here is broken, so this isn't a case of a quick fix, but a re-think. Things are being done a bit sloppily, and that is what really needs work. Wouldn't it be better to rely on having the distribution tree with a fixed organization installed to a base path (like /usr/lib is now on Linux?) Then you could determine the current directory at run time, and know where to expect everything, without needing to read an external file. The Perl-based Web administration system is unable to issue commands to pprd under Red Hat Linux 9. It can get lists, but not issue commands to change anything. To fix this, you must: a) Remove the -T flag from the she-bang line in the scripts in cgi-bin, or b) Launder the PPOP_PATH variable in PPOP.pm, or c) Hard-code PPOP_PATH, or d) Change the design to eliminate paths.ph. Clearly, the last option is most painful, and best. I hope someone "out there" is reading this.