Re: [fh@debian.org: Need help with bug in libnet-dns-perl]
According to Michael Stone:
> The larger problem is that adding the -T make the code fail. IMHO,
> this isn't a problem in the Net::DNS library, but rather in the
> IO::Socket routines. If you specify an ip address rather than a
> name for the nameserver, the code works with -T.
Going back to the principles behind tainting:
DNS lookups return names and addresses. Returnd names should be
tainted, since they could contain weird characters. But returned IP
addresses need not be tainted, because they're just numbers. We have
precedent: length($tainted) is never tainted.
I don't know how well the libraries in question reflect my
conclusions. Could someone please investigate these details:
1. Under -T, what values are ending up tainted?
2. Which of these tainted values are causing the failure?
adTHANKSvance
--
Chip Salzenberg - a.k.a. - <chip@valinux.com>
"I wanted to play hopscotch with the impenetrable mystery of existence,
but he stepped in a wormhole and had to go in early." // MST3K
Reply to: