我不明白 Perl Taint 模式错误消息
I don't understand the Perl Taint mode error message
有人告诉我,我有一些旧的 Perl 代码容易受到跨站点脚本攻击或 SQL 注入攻击。我想通过将 shebang 从 #!/usr/local/bin/perl 更改为 #!/usr/local/bin/perl -T 来打开污染模式,现在我收到此错误消息:
Insecure dependency in require while running with -T switch at <big long path>/main.cgi line 26.
代码如下所示:
1 #!/usr/local/bin/perl -T
.
.
.
12 use strict;
13
14 use vars qw( %opt $VERSION );
15
16 use CGI qw/:standard *table start_ul/;
17 use CGI qw(:debug);
18 use CGI::Carp qw( fatalsToBrowser );
19 #use CGI::Pretty qw( :html3 );
20 $CGI::Pretty::INDENT = " ";
21 use Tie::IxHash;
22 use FindBin qw($Bin);
23 use lib "$Bin/../../lib";
24 use lib "$Bin/../lib";
25
26 use Common::Config;
Common::Config 拥有此所有权和权限:
$ ls -l lib/Common/Config.pm
-r--r--r--. 1 someguy example 5840 Oct 9 20:08 lib/Common/Config.pm
我尝试将所有权更改为 apache,但我仍然收到污点错误消息。
更新:
我试过像这样清除我的 $Bin 变量:
use FindBin qw($Bin); # Where are we ?
if ($Bin =~ /^([-\@\w.]+)$/) {
$Bin = ; # $data now untainted
} else {
die "Bad data in '$Bin'"; # log this somewhere
}
但我仍然收到关于 use Common::Config;
的污点错误
您是否有 use lib 语句将不安全的变量添加到包含路径?
https://perldoc.perl.org/perlsec.html
Note that if a tainted string is added to @INC, the following problem will be reported:
Insecure dependency in require while running with -T switch
有人告诉我,我有一些旧的 Perl 代码容易受到跨站点脚本攻击或 SQL 注入攻击。我想通过将 shebang 从 #!/usr/local/bin/perl 更改为 #!/usr/local/bin/perl -T 来打开污染模式,现在我收到此错误消息:
Insecure dependency in require while running with -T switch at <big long path>/main.cgi line 26.
代码如下所示:
1 #!/usr/local/bin/perl -T
.
.
.
12 use strict;
13
14 use vars qw( %opt $VERSION );
15
16 use CGI qw/:standard *table start_ul/;
17 use CGI qw(:debug);
18 use CGI::Carp qw( fatalsToBrowser );
19 #use CGI::Pretty qw( :html3 );
20 $CGI::Pretty::INDENT = " ";
21 use Tie::IxHash;
22 use FindBin qw($Bin);
23 use lib "$Bin/../../lib";
24 use lib "$Bin/../lib";
25
26 use Common::Config;
Common::Config 拥有此所有权和权限:
$ ls -l lib/Common/Config.pm
-r--r--r--. 1 someguy example 5840 Oct 9 20:08 lib/Common/Config.pm
我尝试将所有权更改为 apache,但我仍然收到污点错误消息。
更新:
我试过像这样清除我的 $Bin 变量:
use FindBin qw($Bin); # Where are we ?
if ($Bin =~ /^([-\@\w.]+)$/) {
$Bin = ; # $data now untainted
} else {
die "Bad data in '$Bin'"; # log this somewhere
}
但我仍然收到关于 use Common::Config;
您是否有 use lib 语句将不安全的变量添加到包含路径?
https://perldoc.perl.org/perlsec.html
Note that if a tainted string is added to
@INC, the following problem will be reported:Insecure dependency in require while running with -T switch