查找 Perl 污染模式错误的根源
在污点模式下运行 perl CGI 脚本时,我收到以下形式的错误...
Insecure dependency in some_function while running with -T switch at (eval some_line) line some_other_line.
Compilation failed in require at my-script.cgi line 39.
BEGIN failed--compilation aborted at my-script.cgi line 39.
my-script.cgi 第 39 行是 perl 模块的 use 语句,该模块本身不使用 eval 或 some_function,但可能使用另一个库做。 some_line 和 some_other_line 行号在 my-script.cgi 或 my-script.cgi 第 39 行“使用”的库中似乎没有意义。
鉴于此错误,我如何追踪发生污点错误的位置?
我尝试设置一个新的芯片信号处理程序,它应该打印堆栈跟踪,即,
$SIG{ __DIE__ } = sub { require Carp; Carp::confess(@_); };
但这似乎对错误没有影响。也许这是一个错误的陷阱信号,发生得不够早,或者需要更复杂的东西。
When running a perl CGI script in taint mode, I get an error of the form...
Insecure dependency in some_function while running with -T switch at (eval some_line) line some_other_line.
Compilation failed in require at my-script.cgi line 39.
BEGIN failed--compilation aborted at my-script.cgi line 39.
my-script.cgi line 39 is a use statement for a perl module which does not itself use eval or some_function, but presumably uses another library which does. The some_line and some_other_line line numbers don't seem to make sense in either my-script.cgi or the library which is 'use'd on line 39 of my-script.cgi.
Given this error, how can I track down where the taint error is occurring?
I've tried setting a new die signal handler which should print a stack trace, i.e.
$SIG{ __DIE__ } = sub { require Carp; Carp::confess(@_); };
but this seems to have no effect on the error. Perhaps this is the wrong signal to be trapping, not happening early enough, or something more complex is required.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Carp::Always 对于污点检查引发的异常可以正常工作。输出示例:
Carp::Always works fine with exceptions raised by taint checks. Example output:
这些天我经常使用 Devel::SimpleTrace调试,它最近帮助我在使用 Archive::Zip 时发现了一个污点错误。
但是,我不知道它是否适用于您的情况,因为它本质上是设置与您使用的相同的签名处理程序。
I use Devel::SimpleTrace a lot these days for debugging and it recently helped me find a taint bug when using Archive::Zip.
However, I don't know if it would have worked in your case since it is essentially setting the same sig handler that you used.