Re: Taint mode CGI problem

Sat, 12 Nov 2011 11:06:39 -0800 

On Sat, Nov 12, 2011 at 08:24:52AM -0300, Tessio Fechine wrote:
> But why the same code works fine at command line? That's what bothers me
> most.
> And.. there is no code duplication. search.pl is a normal script that I use
> at command line. I just want to output the result in a web page.
> 
> Thanks!
> 
Would you please avoid top-posting ?
A: because it disrupts the normal flow of conversation.
Q: why is top-posting so annoying?
A: top-post reply.
Q: what's the most annoying thing you can do in email?

;)

My reply is below Peter's.
> 2011/11/12 Peter Scott <pe...@psdt.com>
> 
> > On Fri, 11 Nov 2011 19:08:18 -0300, Tessio Fechine wrote:
> > > #!/usr/bin/perl -T -w
> > >
> > > use strict;
> > > use CGI;
> > >
> > > $ENV{PATH} = '/var/www/cgi-bin/';
> > > my $exec = 'search.pl';
> > >
> > >
> > > my $c = CGI->new();
> > > print $c->header(), $c->start_html(-title => "It's alive!\n"), "\n";
> > >
> > > my $search = $c->param('search') || 'nobody'; !system $exec, "(cn=".
> > > $search ." *)" or die "$exec: $!\n";
> > >
> > > print $c->end_html(), "\n";
> > > ---//---
> > >
> > > When I run it from command line (./crap.pl), it works just fine. But
> > > when I try to run it from apache, as a CGI script, I get this error in
> > > error_log:
> > >
> > > "Insecure dependency in system while running with -T switch at
> > > /var/www/cgi-bin/crap.pl line 14., referer: http://frodo/crap.html";
> >
> > perldoc perlsec.  You haven't untainted $search.
> >
> > Consider embedding the LDAP search functionality in your CGI, or better
> > yet, abstracting it to a common module used by both search.pl and your,
> > er, crap.pl.  Code duplication is so enervating.
> >

In the command line instance, how are you passing the c->param('search') value?
If you are not passing anything in for that value, then your code is executing
differently and is using the known value 'nobody', so you then execute
search.pl with a known value.

As Peter said, http://perldoc.perl.org/perlsec.html is a useful read.  You have
used a form parameter without verifying it is within expected parameters first.
Taint mode won't let you do that.  Untainting the form parameter effectively is
the process of ensuring you have safe data.

Kind Regards

Lesley



-- 
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Reply via email to