Closed djstauffer closed 4 years ago
djstauffer
commented
4 years ago Just returned to this almost 3 years later, and it's still a problem, so I re-patched it on a new install I just did.
hurricup, I don't know if you are still working on this project, but just in case you are I thought I'd comment on the issue.
hurricup
commented
4 years ago Yes, I do. But this is free open source project and you are free to make a pull request.
djstauffer
commented
4 years ago It occurred to me that some developers might not want to untaint any variables in the Camelcadedb code, so in my proposed fix, I used an environment variable to enable doing so for the two host/port variables.
I did not find any other mechanism for customizing the debugger code, but if there is something I missed, please let me know.
hurricup
commented
4 years ago Merged, thanks.
When debugging remotely on debian jessie (currently perl v5.20.2), with the -T (taint mode) flag enabled, the program will exit with the following error:
AH01215: Insecure dependency in connect while running with -T switch at /usr/lib/x86_64-linux-gnu/perl/5.20/IO/Socket.pm line 114.
This is because perl considers the PERL5_DEBUG_HOST and PERL5_DEBUG_PORT environment variables to be tainted. It would be good to have the option of untainting just these variables, so that code could still still be debugged with taint mode on.
The code in the Devel::Camelcadedb module that causes the error is where the IO::Socket::INET->new function is called when PERL5_DEBUG_ROLE is set to "client" (around line 1717 in version 1.6.1.6 of the module). I have tested copying the values from the PERL5_DEBUG_HOST and PERL5_DEBUG_PORT to new variables (using a regex to untaint them), and passing those variables to the IO::Socket::INET->new call, rather than the environment variables. Doing so fixes the problem.
Taint mode is still a useful tool for making potential security problems more obvious, so I think it would be good to make it possible for Camelcade to work when remote debugging with taint mode on.