get_random_bytes gives taint errors #28
Comments
|
Module::Load::Conditional has been around a few years, has no C/XS dependencies, and was integrated into core around 5.22 (I believe?). It would help remove the above evals. |
|
the above evals are not needed at all. Just use an eval { } block. "require" is not compile time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See https://bugzilla.mozilla.org/show_bug.cgi?id=1187897 . The errors are:
Insecure dependency in eval while running with -T switch at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 107.
at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 104.
Crypt::OpenPGP::Util::get_random_bytes(490) called at /usr/local/share/perl5/Crypt/OpenPGP/SessionKey.pm line 96
It is suggested that this code may be responsible, from Util.pm:
sub get_random_bytes {
my $length = shift;
if (eval 'require Crypt::Random; 1;') {
return Crypt::Random::makerandom_octet( Length => $length);
}
elsif (eval 'require Bytes::Random::Secure; 1;') {
return Bytes::Random::Secure::random_bytes($length);
}
else {
die "No random source available!";
}
}
Gerv
The text was updated successfully, but these errors were encountered: