Last I heard, taint mode in mod_perl didn't always work.  See:

http://marc.info/?l=apache-modperl&m=119749949626698&w=2


That was a while back, maybe it's been fixed by now.

-----Scott.


On Tue, May 25, 2010 at 10:26 AM, Nik Ogura <nik.og...@gmail.com> wrote:

> Hello.
>
> Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
>
> I've noticed what seems to be a case of Taint mode being ignored with
> respect to CGI params when running under mod_perl.
>
> The following:
>
>        #!/usr/bin/perl -T
>
>        use strict;
>        use warnings;
>
>        $ENV{'PATH'} = "/bin:/usr/bin";
>        #delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
>
>        use CGI;
>        my $q = CGI->new;
>
>        my $foo = $q->param('foo');
>
>        open OF, "> /tmp/$foo";
>
>        print OF "blah blah blah";
>        close OF;
>
>        print "Content-type: text/html\n\n";
>
>        print "Taint: ${^TAINT}<br>";
>
>        print "done<br>";
>
> Behaves normally when run without mod_perl, i.e. it tosses 500 errors
> and screams bloody murder.  However with the following setup: (only
> relevant parts shown)
>
> PerlTaintCheck  On
> PerlWarn        On
>
> <VirtualHost *:80>
>        Alias   /cgi-bin/       /usr/lib/cgi-bin/
>
>        <Directory /usr/lib/cgi-bin>
>                Options +ExecCGI -Multiviews
>
>                SetHandler                      perl-script
>                PerlOptions                     +ParseHeaders
>                PerlResponseHandler             ModPerl::Registry
>        </Directory>
>
> </VirtualHost>
>
> The cgi runs without error, opening files under /tmp based on CGI
> parameter inputs.  The taint mode flag shows that taint mode is enabled,
> and if $ENV{PATH} is not cleaned, it throws errors.  The behavior is the
> same with both PerlTaintCheck On  and PerlSwitches -T.
>
> What am I missing?  I have production code that is apparently not as
> protected as I would like.
>
> Thanks in advance.
>
> --
> -Nik
>
>

Reply via email to