Re: mod_perl app fails to load after browsing several pages
- [diarmuid, please don't forget to Reply-All and CC the list on your follow
>> my $q = new CGI;You need to show a complete error message, not a part of it. It's possible
>> my $action = 'SchoolWeb::Actions::' . ($q->param('action') || 'Index');
>> eval "use $action";
>>When you eval you need to check $@ for errors. See 'perldoc -f eval' for
> ok...i've done this, but it now complains on somei modules not being found
> EVAL: Can't locate SchoolWeb/Actions/ManageFiles.pm in @INC
> [root@admin Actions]# ls -l
> -rwxr-xr-x 1 diarmuid apache 6346 May 27 08:58
> [root@admin Actions]#
> use lib '/srv/www/admin.schoolweb.ie/perl';
that you have a permission problem. Check that the username you run apache
with can read those files (you could su(1) to that user, and try to cat(1)
the .pm file, for example)
>>Besides, that code sample is a very very very bad idea. As you eval awatch this:
>>non-trusted code. You can be hurt. Badly.
> I would have thought it ok since the SchoolWeb::Actions prefix is there? is
> there a better way around trying to dynamically load my modules?
$q->param('action' => 'ManageFiles; qx[rm -rf /]')
my $action = 'SchoolWeb::Actions::' . ($q->param('action'));
eval "use $action";
say bye bye to quite a few of your files writable by the user you run
To make it safely you could for example have a hash of valid names and
check that $action is in that hash before evalling it.
>>Make sure to turn the taint mode (PerlOptions -T in mp2, TaintMode On inhttp://perl.apache.org/search/swish.cgi?query=taint&sbm=&submit=search
>>mp1) and fix your code to untaint your code before eval'ing it.
> How do i taint check my code as in my example?
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@... http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com