Forum archive 2000-2006

David Baur - XML::Parser and the safe compartment

David Baur - XML::Parser and the safe compartment

by Arnold Pizer -
Number of replies: 0
inactiveTopicXML::Parser and the safe compartment topic started 8/31/2006; 4:07:24 PM
last post 9/1/2006; 9:57:20 AM
userDavid Baur - XML::Parser and the safe compartment  blueArrow
8/31/2006; 4:07:24 PM (reads: 253, responses: 3)
Hi,

I'm back again with another question related to the Java evaluator I've been working on. As suggested in a previous post, I added XML::Parser to the module list in global.conf so that I could use it in my own module for the evaluator. Everything worked great.

However, now we are moving from our old ww2.0 install to a new ww2.2 install and I am having an issue. The error message reads:

    'require' trapped by operation mask at
/usr/local/lib/perl5/5.8.8/mach/IO/Handle.pm line 256
which from what I understand is typically caused by the Safe module. I was able to narrow down the cause of the error to the following line:
   $parser->parsefile($path);
in the context:
   $parser = new XML::Parser();
$parser->setHandlers(Char => &char_handler,
End => &end_handler,
Start => &start_handler);
$parser->parsefile($path);

So my current understanding of the situation is that XML::Parser makes use of IO::Handle which contains the 'require' statement which is disallowed. Does this seem correct? Could one of the changes such as security updates between the 2.0 and 2.2 versions be involved? If so, is there anything I can do?

Thanks,

David

PS we've also upgraded from perl 5.6 to 5.8 if that makes a difference.

<| Post or View Comments |>


userSam Hathaway - Re: XML::Parser and the safe compartment  blueArrow
8/31/2006; 7:18:06 PM (reads: 304, responses: 0)
I'm not sure if anything we did would have caused this.

This is kind of a known issue with Safe -- modules can be loaded outside the safe compartment and shared, but if they load other modules at runtime this will be trapped by Safe.

You might try adding IO::Handle to the modules list as well, as well as any other modules that need to get loaded.

We're working on better ways to expose external code to the safe compartment, but it's still at the planning stage. In particular, look at Safe::Hole, which claims to solve exactly this problem.

<| Post or View Comments |>


userMichael Gage - Re: XML::Parser and the safe compartment  blueArrow
8/31/2006; 7:51:10 PM (reads: 295, responses: 0)
On the other hand the change from perl 5.6 to perl 5.8 probably did cause the problem. I had to fix a couple of issues like this (utf8 was one of them I believe when we upgraded to 5.8).

perl 5.8 updated a number of modules to use things like IO:Handle instead of using open() directly.

You're running into a frustrating problem that a number of us are having with trying to add specific capabilities within the Safe compartment without including too many dangerous "powers".

Safe::Hole is something to investigate, but so far it hasn't been quite the right tool. Wish I could help more, but at the moment I don't have further advice.

-- Mike

<| Post or View Comments |>


userSam Hathaway - Re: XML::Parser and the safe compartment  blueArrow
9/1/2006; 9:57:20 AM (reads: 298, responses: 0)
Safe::Hole isn't the right tool for protecting instance data and methods from other safe compartment code, but it is the right tool for executing methods "outside" the safe compartment even when they are called from within the safe compartment.
-sam

<| Post or View Comments |>