Taint safety problem in Net::OpenID::Consumer 0.11

Rob Lanphier robla at robla.net
Tue Jun 28 23:25:35 PDT 2005

Hi folks,

Unless I'm doing something very boneheaded (quite possible, my Perl
skills are quite rusty), it doesn't appear that Net::OpenID::Consumer
(v0.11) is taint safe.

I've attached my "hello world" consumer CGI app (sorry, not a server),
which, as configured, returns the following error:
"url_fetch_error: Error fetching URL: Insecure dependency in connect
while running with -T switch"

Removing "-Tw" from the script makes it run.  I haven't dug deeply into
exactly where the problem is, but I'm guessing it's
Net::OpenID::Consumer->ua that's the tainted variable passed into
URI::Fetch in Consumer.pm.

The reason why I bring this up is that I'm taking a stab at adding
Bugzilla/OpenID consumer support, and I've made some reasonable
progress.  BZ ships with taint checking turned on.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: index.cgi
Type: application/x-perl
Size: 2189 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20050628/fa46d161/index.bin

More information about the yadis mailing list