> That would be ALL of it wouldn't it? <G>
>
> Anyway, I'm still not sure how the hello world script violates the use
> of tainted data... it just goes to STDOUT (browser).
may be because you load some other module which is not taint-clean. Look
at this in this way -- lots of people run more complicated code than a
"hello world" and doesn't have a taint problem. So there is something
different about your server. Try to remove any preload and other code that
you don't need and start afresh with a hello world script, then move back
the rest one by one until you find the offensive one. BTW, try testing it
with mod_cgi too, don't forget to add -wT at the shebang line...
> If I understand this correctly, I've got to run *all* my user input
> through a regex and use the resultant $1, $2 parts as my data? What
> about data from an SQL db via DBI, is that "pre-tainted"?
Not really, there are also other things to do when perl complains about
taint problems. Like setting $ENV{PATH} and more... the manpage talks
about these *other* things.
> Thanks, John.
> PS The updated guide is very nice. (Maybe my problem is I shouldn't be
> reading the guide, the panther book, the ram book, and the eagle book,
> all at the same time. <G>)
:)
>
> > -----Original Message-----
> > From: Stas Bekman [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, January 10, 2000 4:34 PM
> > To: John Walker
> > Cc: '[EMAIL PROTECTED]'
> > Subject: Re: Hey, that ain't tainted, is it?
> >
> >
> >
> > % perldoc perlsec
> > -- is what you are looking for. it's all there...
> [...]
>
_______________________________________________________________________
Stas Bekman mailto:[EMAIL PROTECTED] http://www.stason.org/stas
Perl,CGI,Apache,Linux,Web,Java,PC http://www.stason.org/stas/TULARC
perl.apache.org modperl.sourcegarden.org perlmonth.com perl.org
single o-> + single o-+ = singlesheaven http://www.singlesheaven.com
