Taint won't run on Win32 anyway.
-----Original Message-----
From: "Curtis Poe"<[EMAIL PROTECTED]>
To: "CGI Beginners"<[EMAIL PROTECTED]>
Date: Tue Aug 14 15:02:40 PDT 2001
Subject: Re: CGI on IIS <- bad idea?
>--- Eric Wang <[EMAIL PROTECTED]> wrote:
>> Thanks! can you explain what does the taint option do?
>> I usually just use #!/script/perl.exe
>>
>> Thanks for your help!
>> eric
>
>Eric,
>
>If you enable taint checking, any data coming into your program from outside of the
>program is
>considered "tainted". Perl tries to ensure that tainted data is not used to affect
>anything
>outside of the program and will kill the program rather than allow Bad Things to
>happen. This
>script will die if you try to run it:
>
> #!/usr/bin/perl -wT
> use strict;
>
> my $file = <STDIN>;
> chomp $file;
>
> open "> $file" or die "Can't open $file for writing: $!";
>
>Note that the "or die" is not what's killing the script. Trying to use a tainted
>variable ($file)
>to open a file for writing is what kills the script, assuming taint mode is enabled.
>Trying to
>read from the file is considered safe, however:
>
> open "< $file" or die "Can't open $file for writing: $!";
>
>Unfortunately, this causes problems in many programs where someone enters something
>like
>"/etc/passwd" in a CGI script and potentially gains access to info that they
>shouldn't (of course,
>that ignores that the system should be using shadow passwords, but this is just an
>example). On
>Unix-like systems, you can also append a pipe to the filename and that will cause an
>attempt to
>execute the file instead of opening it. That's why we have taint checking: it
>forces us to
>examine these variables and make sure that the data is safe.
>
>To learn more about taint checking and how to "untaint" a variable, open a command
>prompt and type
>"perldoc perlsec". This will also explain exactly what Perl considers tainted.
>
>You can also read Lesson Three of my online CGI course and gain a *basic*
>understanding of CGI
>security:
>
>http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html
>
>Cheers,
>Curtis Poe
>
>=====
>Senior Programmer
>Onsite! Technology (http://www.onsitetech.com/)
>"Ovid" on http://www.perlmonks.org/
>
>__________________________________________________
>Do You Yahoo!?
>Make international calls for as low as $.04/minute with Yahoo! Messenger
>http://phonecard.yahoo.com/
>
>--
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
/~_. _ | _ _ _ _
\_/|(_||| | |(_)| |
_|
___________________________________________________
GO.com Mail
Get Your Free, Private E-mail at http://mail.go.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
