[tpm] IO::Socket, perl -T and insecure dependency in bind

Matthew Phillips mattp at cpan.org
Tue Dec 3 12:48:37 PST 2013 

Are you running taint mode (perl -T switch) intentionally? Reading from an
external source (ie your conf file) is tainted data (thus the warning). See
perldoc perlsec (
http://perldoc.perl.org/perlsec.html#Laundering-and-Detecting-Tainted-Data)
for more information on how to deal with this. Alternatively, you can
turn off taint mode.

Cheers,
Matt


On Tue, Dec 3, 2013 at 2:25 PM, Antonio T. Sun <mlist.ats at spamgourmet.com>wrote:

> Hi,
>
> I have this error that I want to fix:
>
>   Insecure dependency in bind while running with -T switch at
> /usr/lib/perl/5.14/IO/Socket.pm line 202.
>
> To me, the weirder part is not the error message itself, but how it
> appears. Enclosed list [1], and also available under
> http://pastebin.com/wqcHGfme, is the source code that invokes perl with
> the -T switch, and does not show the above insecure dependency issue.
>
> Now take a look at this (minor) change:
>
>
> $ diff -wU 1 pixelserv2 pixelserv2
> --- pixelserv2  2013-12-02 20:41:46.075685600 -0500
> +++ pixelserv3  2013-12-02 20:37:29.943685600 -0500
> @@ -4,2 +4,4 @@
>
> +my $conffile = "/etc/pixelserv.ip";
> +
>  my $crlf  = "\015\012";
> @@ -9,4 +11,8 @@
>
> +open(my $fh, "<", $conffile) || die "can't open $conffile: $!";
> +my $listento = do { local $/; <$fh> };
> +close($fh) || die "can't close $conffile: $!";
> +
>  my $sock = new IO::Socket::INET(
> -    LocalHost => '0.0.0.0',
> +    LocalHost => $listento,
>      LocalPort => '80',
>
>
> To me, the change is really minor, but the impact is huge. I now have such
> insecure dependency issue.
>
> Why it was OK, and now is not? How to fix it?
>
> Thanks
>
> Antonio
>
> [1] source list
>
>    1. #! /usr/bin/perl -Tw
>    2.
>    3. use IO::Socket::INET;
>    4.
>    5. my $crlf  = "\015\012";
>    6. my $pixel = pack( "C*",
>    7.     qw(71 73 70 56 57 97 1 0 1 0 128 0 0 255 255 255 0 0 0 33 249 4
>    1 0 0 0 0 44 0 0 0 0 1 0 1 0 0 2 2 68 1 0 59)
>    8. );
>    9.
>    10. my $sock = new IO::Socket::INET(
>    11.     LocalHost => '0.0.0.0',
>    12.     LocalPort => '80',
>    13.     Proto     => 'tcp',
>    14.     Listen    => 30,
>    15.     Reuse     => 1
>    16. );
>    17.
>    18. if ( !defined($sock) ) {
>    19.     print "error : cannot bind : $! exit\n";
>    20.     exit(1);
>    21. }
>    22.
>    23. while (my  $new_sock = $sock->accept() ) {
>    24.     while (<$new_sock>) {
>    25.         chop;
>    26.         chop;
>    27.
>    28.         # print "$_\n";
>    29.         if ( $_ eq '' ) { last; }
>    30.     }
>    31.     print $new_sock "HTTP/1.1 200 OK$crlf";
>    32.     print $new_sock "Content-type: image/gif$crlf";
>    33.     print $new_sock "Accept-ranges: bytes$crlf";
>    34.     print $new_sock "Content-length: 43$crlf$crlf";
>    35.     print $new_sock $pixel;
>    36.     shutdown( $new_sock, 2 );
>    37.     undef($new_sock);
>    38. }
>    39.
>    40. close($sock);
>    41. exit(0);
>
>
>
> _______________________________________________
> toronto-pm mailing list
> toronto-pm at pm.org
> http://mail.pm.org/mailman/listinfo/toronto-pm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20131203/c2393424/attachment.html>

More information about the toronto-pm mailing list