Michael Peters wrote: > > jalex wrote: >> I'm running mod_perl 2.0.2 under apache 2.0.54. After adding >> "PerlSwitches >> -wT" to my apache config, I wanted to test that I had taint mode was >> indeed >> working, so I wrote a test script that purposely misused a CGI parameter, >> expecting the taint exception to be thrown. I was surprised to find it >> was >> not, so I wrote this small test case: >> >> #!/usr/bin/perl -T > > Taint is not controlled by the shebang line on the script because taint it > interpreter wide and must be turned on when the interpreter starts, IE > when > Apache starts. > > Try adding > > PerlSwitches -T > > to your httpd.conf >
Note that the section you quoted says that I did exactly that. The -T is also on the shebang line so that the same script will have taint enabled when run from mod_cgi. Also note that later in my post, I state that unsafe references to environment variables trigger that taint exception as expected, so taint mode does appear to be working in my mod_perl2 environment. CGI parameters, however, when obtained through the CGI.pm param() method, are unexpectededly not tainted. -- View this message in context: http://www.nabble.com/CGI-%3Eparams%28%29-should-be-tainted%2C-right--tf4858333.html#a13913188 Sent from the mod_perl - General mailing list archive at Nabble.com.
