Hello. Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
I've noticed what seems to be a case of Taint mode being ignored with respect to CGI params when running under mod_perl. The following: #!/usr/bin/perl -T use strict; use warnings; $ENV{'PATH'} = "/bin:/usr/bin"; #delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; use CGI; my $q = CGI->new; my $foo = $q->param('foo'); open OF, "> /tmp/$foo"; print OF "blah blah blah"; close OF; print "Content-type: text/html\n\n"; print "Taint: ${^TAINT}<br>"; print "done<br>"; Behaves normally when run without mod_perl, i.e. it tosses 500 errors and screams bloody murder. However with the following setup: (only relevant parts shown) PerlTaintCheck On PerlWarn On <VirtualHost *:80> Alias /cgi-bin/ /usr/lib/cgi-bin/ <Directory /usr/lib/cgi-bin> Options +ExecCGI -Multiviews SetHandler perl-script PerlOptions +ParseHeaders PerlResponseHandler ModPerl::Registry </Directory> </VirtualHost> The cgi runs without error, opening files under /tmp based on CGI parameter inputs. The taint mode flag shows that taint mode is enabled, and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the same with both PerlTaintCheck On and PerlSwitches -T. What am I missing? I have production code that is apparently not as protected as I would like. Thanks in advance. -- -Nik