Re: untainting PATH in mod_perl

Tue, 15 Jul 2003 03:50:03 -0700 

On Tue, Jul 15, 2003 at 12:19:14PM +0300, Stas Bekman wrote:
> Dominique Quatravaux wrote:
> >> Sorry, getting out of good ideas.. 
> >
> >
> >  Surprise, surprise: I found out that my code does not work under
> >mod_perl 1.23 either! And I found the real solution: one has to add
> >
> >  PerlSetupEnv Off
> >
> >to the Apache configuration file. Now the untainting mumbo-jumbo in
> ><perl> section works.
> >
> >  Warning: this has the consequence of breaking the part of the CGI
> >environment emulation that deals with environment (e.g. instead of
> >$ENV{"HTTP_USER_AGENT"}, you now have to check
> >Apache->request()->subprocess_env("HTTP_USER_AGENT")). Glancing at its
> >source code, I don't think CGI.pm will survive that...
> >
> >  BTW, I finally got around to reading mod_perl's source, and it
> >is now clear to me that the environment, when being copied from
> >->subprocess_env() into %ENV, gets tainted (around line 704 in
> >src/modules/perl/mod_perl.c). The whole %ENV gets tainted, not just
> >the HTTP_USER_AGENT and such from the CGI context, so PATH is tainted
> >as well. This explains our now common problem - and also guarantees
> >that there is no easy way out of it if you use CGI.pm yourself :-(.
> 
> You need to untaint the variables before you use them. Since they get reset 
> on every request, you need to untaint them inside your script/handler's run 
> time, not the BEGIN block...:
> http://perl.apache.org/docs/1.0/guide/porting.html#BEGIN_blocks
> 
> it should work just fine with mp1 and mp2.
> 
> Relying on 'PerlSetupEnv Off' is not a very good idea, since if you want to 
> release your code for others to use, they may not be able to turn it off, 
> since it'll break their CGI-legacy code as you have observed.
> 
> FWIW, I use the following code when I need to use ``|qx:
> 
> local $ENV{PATH} = "/bin:/usr/bin";
> local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
> 
> 

But this code must be used in each scope where you intend to use 
backticks, a system call Etc. Is there no way to untaint your
PATH environment one time for the script or handler?

P

-- 
^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
Peter B. Ensch ([EMAIL PROTECTED])   
                                       
Linux 2.4.20-4GB 5:47am Up 2 days 18:47
^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^

Reply via email to