Last I heard, taint mode in mod_perl didn't always work. See: http://marc.info/?l=apache-modperl&m=119749949626698&w=2
That was a while back, maybe it's been fixed by now. -----Scott. On Tue, May 25, 2010 at 10:26 AM, Nik Ogura <nik.og...@gmail.com> wrote: > Hello. > > Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29. > > I've noticed what seems to be a case of Taint mode being ignored with > respect to CGI params when running under mod_perl. > > The following: > > #!/usr/bin/perl -T > > use strict; > use warnings; > > $ENV{'PATH'} = "/bin:/usr/bin"; > #delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; > > use CGI; > my $q = CGI->new; > > my $foo = $q->param('foo'); > > open OF, "> /tmp/$foo"; > > print OF "blah blah blah"; > close OF; > > print "Content-type: text/html\n\n"; > > print "Taint: ${^TAINT}<br>"; > > print "done<br>"; > > Behaves normally when run without mod_perl, i.e. it tosses 500 errors > and screams bloody murder. However with the following setup: (only > relevant parts shown) > > PerlTaintCheck On > PerlWarn On > > <VirtualHost *:80> > Alias /cgi-bin/ /usr/lib/cgi-bin/ > > <Directory /usr/lib/cgi-bin> > Options +ExecCGI -Multiviews > > SetHandler perl-script > PerlOptions +ParseHeaders > PerlResponseHandler ModPerl::Registry > </Directory> > > </VirtualHost> > > The cgi runs without error, opening files under /tmp based on CGI > parameter inputs. The taint mode flag shows that taint mode is enabled, > and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the > same with both PerlTaintCheck On and PerlSwitches -T. > > What am I missing? I have production code that is apparently not as > protected as I would like. > > Thanks in advance. > > -- > -Nik > >