On Wed, Jul 09, 2003 at 05:40:32PM +0200, Dominique Quatravaux wrote:
> > In plain CGI, I normally do this inside a BEGIN
> > block; in mod_perl however, this doesn't work.
>
> This would work if this was done in a <Perl> section of the httpd.conf
> file (this is what I do). I am not sure why the BEGIN block is not
> executed, but my guess is that the environment gets automatically
> restored at the end of every script run under Apache::Registry,
> including the tainted PATH.
>
I need some help with this. Can you share the code you use w/in
your <Perl> section?
I'm pretty confused because I was able to untaint my PATH var.
by putting
$ENV{PATH} = '/bin';
in the ***same scope*** where I was getting the error. For example
$ENV{PATH} = '/bin';
my @files = `/bin/ls $path`; # $path is already untainted
was OK; leave out the $ENV line and I get an Insecure $ENV{PATH}
error.
This works (don't know why) but I would prefer to fix the PATH
in one place rather than having to do so everywhere I shell out
or use backticks.
Thanks,
P
--
^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
Peter B. Ensch ([EMAIL PROTECTED])
Linux 2.4.20-4GB 8:21pm Up 18 days 2:55
^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
