Loading ...
Sorry, an error occurred while loading the content.

Re: mod_perl app fails to load after browsing several pages

Expand Messages
  • Stas Bekman
    [diarmuid, please don t forget to Reply-All and CC the list on your follow ups] ... You need to show a complete error message, not a part of it. It s possible
    Message 1 of 3 , Jun 7, 2005
    • 0 Attachment
      [diarmuid, please don't forget to Reply-All and CC the list on your follow
      ups]

      >> my $q = new CGI;
      >>
      >> my $action = 'SchoolWeb::Actions::' . ($q->param('action') || 'Index');
      >>
      >> eval "use $action";
      >
      >
      >>When you eval you need to check $@ for errors. See 'perldoc -f eval' for
      >>more information.
      >
      >
      > ok...i've done this, but it now complains on somei modules not being found
      > e.g.
      >
      > EVAL: Can't locate SchoolWeb/Actions/ManageFiles.pm in @INC
      >
      > [root@admin Actions]# ls -l
      > /srv/www/admin.schoolweb.ie/perl/SchoolWeb/Actions/ManageFiles.pm
      > -rwxr-xr-x 1 diarmuid apache 6346 May 27 08:58
      > /srv/www/admin.schoolweb.ie/perl/SchoolWeb/Actions/ManageFiles.pm
      > [root@admin Actions]#
      >
      > use lib '/srv/www/admin.schoolweb.ie/perl';

      You need to show a complete error message, not a part of it. It's possible
      that you have a permission problem. Check that the username you run apache
      with can read those files (you could su(1) to that user, and try to cat(1)
      the .pm file, for example)

      >>Besides, that code sample is a very very very bad idea. As you eval a
      >>non-trusted code. You can be hurt. Badly.
      >
      >
      > I would have thought it ok since the SchoolWeb::Actions prefix is there? is
      > there a better way around trying to dynamically load my modules?

      watch this:

      $q->param('action' => 'ManageFiles; qx[rm -rf /]')
      my $action = 'SchoolWeb::Actions::' . ($q->param('action'));
      eval "use $action";

      say bye bye to quite a few of your files writable by the user you run
      apache with.

      To make it safely you could for example have a hash of valid names and
      check that $action is in that hash before evalling it.

      >>Make sure to turn the taint mode (PerlOptions -T in mp2, TaintMode On in
      >>mp1) and fix your code to untaint your code before eval'ing it.
      >
      >
      > How do i taint check my code as in my example?

      http://perl.apache.org/search/swish.cgi?query=taint&sbm=&submit=search


      --
      __________________________________________________________________
      Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
      http://stason.org/ mod_perl Guide ---> http://perl.apache.org
      mailto:stas@... http://use.perl.org http://apacheweek.com
      http://modperlbook.org http://apache.org http://ticketmaster.com
    Your message has been successfully submitted and would be delivered to recipients shortly.