--001485f27162eb52610487717ee9
Content-Type: text/plain; charset=ISO-8859-1
Last I heard, taint mode in mod_perl didn't always work. See:
http://marc.info/?l=apache-modperl&m=119749949626698&w=2
That was a while back, maybe it's been fixed by now.
-----Scott.
On Tue, May 25, 2010 at 10:26 AM, Nik Ogura <nik.ogura [at] gmail.com> wrote:
> Hello.
>
> Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
>
> I've noticed what seems to be a case of Taint mode being ignored with
> respect to CGI params when running under mod_perl.
>
> The following:
>
> #!/usr/bin/perl -T
>
> use strict;
> use warnings;
>
> $ENV{'PATH'} = "/bin:/usr/bin";
> #delete [at] ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
>
> use CGI;
> my $q = CGI->new;
>
> my $foo = $q->param('foo');
>
> open OF, "> /tmp/$foo";
>
> print OF "blah blah blah";
> close OF;
>
> print "Content-type: text/html\n\n";
>
> print "Taint: ${^TAINT}<br>";
>
> print "done<br>";
>
> Behaves normally when run without mod_perl, i.e. it tosses 500 errors
> and screams bloody murder. However with the following setup: (only
> relevant parts shown)
>
> PerlTaintCheck On
> PerlWarn On
>
> <VirtualHost *:80>
> Alias /cgi-bin/ /usr/lib/cgi-bin/
>
> <Directory /usr/lib/cgi-bin>
> Options +ExecCGI -Multiviews
>
> SetHandler perl-script
> PerlOptions +ParseHeaders
> PerlResponseHandler ModPerl::Registry
> </Directory>
>
> </VirtualHost>
>
> The cgi runs without error, opening files under /tmp based on CGI
> parameter inputs. The taint mode flag shows that taint mode is enabled,
> and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the
> same with both PerlTaintCheck On and PerlSwitches -T.
>
> What am I missing? I have production code that is apparently not as
> protected as I would like.
>
> Thanks in advance.
>
> --
> -Nik
>
>
--001485f27162eb52610487717ee9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Last I heard, taint mode in mod_perl didn't always work. =A0See:<div><b=
r></div><blockquote class=3D"webkit-indent-blockquote" style=3D"margin: 0 0=
0 40px; border: none; padding: 0px;"><div><a href=3D"http://marc.info/?l=
=3Dapache-modperl&m=3D119749949626698&w=3D2">http:// marc.info/?l=3D=
apache-modperl&m=3D119749949626698&w=3D2</a></div>
</blockquote><div><br></div><div>That was a while back, maybe it's been=
fixed by now.</div><div><br></div><div>-----Scott.</div><div><br><br><div =
class=3D"gmail_quote">On Tue, May 25, 2010 at 10:26 AM, Nik Ogura <span dir=
=3D"ltr"><<a href=3D"mailto:nik.ogura [at] gmail.com">nik.ogura [at] gmail.com</a>=
></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;">Hello.<br>
<br>
Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.<br>
<br>
I've noticed what seems to be a case of Taint mode being ignored with<b=
r>
respect to CGI params when running under mod_perl.<br>
<br>
The following:<br>
<br>
=A0 =A0 =A0 =A0#!/usr/bin/perl -T<br>
<br>
=A0 =A0 =A0 =A0use strict;<br>
=A0 =A0 =A0 =A0use warnings;<br>
<br>
=A0 =A0 =A0 =A0$ENV{'PATH'} =3D "/bin:/usr/bin";<br>
=A0 =A0 =A0 =A0#delete [at] ENV{'IFS', 'CDPATH', 'ENV'=
, 'BASH_ENV'};<br>
<br>
=A0 =A0 =A0 =A0use CGI;<br>
=A0 =A0 =A0 =A0my $q =3D CGI->new;<br>
<br>
=A0 =A0 =A0 =A0my $foo =3D $q->param('foo');<br>
<br>
=A0 =A0 =A0 =A0open OF, "> /tmp/$foo";<br>
<br>
=A0 =A0 =A0 =A0print OF "blah blah blah";<br>
=A0 =A0 =A0 =A0close OF;<br>
<br>
=A0 =A0 =A0 =A0print "Content-type: text/html\n\n";<br>
<br>
=A0 =A0 =A0 =A0print "Taint: ${^TAINT}<br>";<br>
<br>
=A0 =A0 =A0 =A0print "done<br>";<br>
<br>
Behaves normally when run without mod_perl, i.e. it tosses 500 errors<br>
and screams bloody murder. =A0However with the following setup: (only<br>
relevant parts shown)<br>
<br>
PerlTaintCheck =A0On<br>
PerlWarn =A0 =A0 =A0 =A0On<br>
<br>
<VirtualHost *:80><br>
=A0 =A0 =A0 =A0Alias =A0 /cgi-bin/ =A0 =A0 =A0 /usr/lib/cgi-bin/<br>
<br>
=A0 =A0 =A0 =A0<Directory /usr/lib/cgi-bin><br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Options +ExecCGI -Multiviews<br>
<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0SetHandler =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0perl-script<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0PerlOptions =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 +ParseHeaders<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0PerlResponseHandler =A0 =A0 =A0 =A0 =A0 =A0=
ModPerl::Registry<br>
=A0 =A0 =A0 =A0</Directory><br>
<br>
</VirtualHost><br>
<br>
The cgi runs without error, opening files under /tmp based on CGI<br>
parameter inputs. =A0The taint mode flag shows that taint mode is enabled,<=
br>
and if $ENV{PATH} is not cleaned, it throws errors. =A0The behavior is the<=
br>
same with both PerlTaintCheck On =A0and PerlSwitches -T.<br>
<br>
What am I missing? =A0I have production code that is apparently not as<br>
protected as I would like.<br>
<br>
Thanks in advance.<br>
<br>
--<br>
<font color=3D"#888888">-Nik<br>
<br>
</font></blockquote></div><br></div>
--001485f27162eb52610487717ee9--
