thraxil has asked for the wisdom of the Perl Monks concerning the following question:
i recently upgraded an old redhat 7.2 box to perl 5.8.4 (from 5.8.0) and have encountered some weirdness with taint-checking and IO::Socket. here's the smallest test-case i could come up with:
i have the following XML file:
<?xml version="1.0"?> <settings> <base>http://www.google.com</base> </settings>
and the following perl:
#!/usr/bin/perl -wT use strict; use LWP::Simple; use XML::Simple; my $config = XML::Simple::XMLin("test.xml"); my $base = $config->{base}; if ($base =~ m{^(http://[\w\.\/\-]+)$}) { $base = $1; } else { print $base, " didn't match\n"; } print get("$base/index.html");
when i run it under perl 5.8.4, i get:
Insecure dependency in connect while running with -T switch at /usr/lo +cal/lib/perl5/5.8.4/i686-linux/IO/Socket.pm line 114.
if i run it under 5.8.0, it works as expected.
so how on earth does it still consider $base to be tainted? it passes through the conditional without printing anything, so it certainly looks like it should be untainted.
if i don't get $base through XML::Simple, and instead just say $base = "http://www.google.com", it works. if i don't do any string interpolation in the last line it works. ie, if i change the last line to just:
print get($base);
it works.
it looks like some Twiki users have encountered the same problem but haven't found any solution other than turning off taint-checking (which i don't consider a legitimate option on a public server).
so is this a perl bug, or am i missing something really stupid and obvious? can anyone else duplicate it?