2014-09-25 19:36 GMT+01:00, Christian Jaeger <chr...@gmail.com>: > but, I actually wonder whether the usual Perl variables like PERL5LIB, > PERL5OPT, LOGDIR, PERL5DB, PERL5SHELL etc. can't be set and misused > through CGI.
They can't. I was being stupid, this is not a case where users can decide on the variable names (i.e. query parameters are *not* passed as individual env variables). As also Dagfinn has written in his post (which arrived after I wrote mine), it will still a problem with bash though (unless CGI.pm or so deletes or cleans the CGI env variables, I haven't checked that).
