Insecure dependency in perl-ldap 0.21+

[Ziya S. <zi...@ri...>]

(see http://sourceforge.net/mailarchive/message.php?msg_id=514287)

Hi,

I had the same problem:

Insecure dependency in require while running with -T switch
at /usr/local/lib/perl5/site_perl/5.6.0/Net/LDAP/Message.pm line 86.

To me, it happened randomly, so I couldn't really trace down the
error. But I managed to come up with kind of a test case and a patch
for Message.pm.

Looks like Perl bug report #17867. Another thing: it happens with
5.6.0 not with 5.8.0. Looks like 5.8.0 treads server_error's return
variable for Taint checks. But I am not sure if this will be the case
on production code.

Any way the patch below is solving the problem at least for me. What
do you think?

Ziya Suzen
------------
RIPE NCC

try running this test with perl5.6.0 script you should get 'Insecure
dependency',(unless $msg->code =! 0)

Test case:
#/usr/bin/perl -T
use Net::LDAP;
$ld = new Net::LDAP('ldap.itd.umich.edu');
$msg = $ld->bind();
$msg->error();
print $msg->code(),"\n";

Patch for Message.pm:
--- /usr/local/lib/perl5/site_perl/5.6.0/Net/LDAP/Message.pm    Fri
Aug 24
21:24:09 2001
+++ blib/lib/Net/LDAP/Message.pm        Sat Jan  4 03:29:47 2003
@@ -83,9 +83,15 @@

 sub error {
   my $self = shift;
-  $self->server_error
-    or require Net::LDAP::Util
-    and Net::LDAP::Util::ldap_error_desc( $self->code );
+
+  my $return;
+
+  unless ($return = $self->server_error) {
+     require Net::LDAP::Util and
+     $return = Net::LDAP::Util::ldap_error_desc( $self->code );
+  }
+
+  $return;
 }

 sub set_error {