Last I heard, taint mode in mod_perl didn't always work. See:
http://marc.info/?l=apache-modperl&m=119749949626698&w=2
That was a while back, maybe it's been fixed by now.
-----Scott.
On Tue, May 25, 2010 at 10:26 AM, Nik Ogura <nik.og...@gmail.com> wrote:
> Hello.
>
> Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
>
> I've noticed what seems to be a case of Taint mode being ignored with
> respect to CGI params when running under mod_perl.
>
> The following:
>
> #!/usr/bin/perl -T
>
> use strict;
> use warnings;
>
> $ENV{'PATH'} = "/bin:/usr/bin";
> #delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
>
> use CGI;
> my $q = CGI->new;
>
> my $foo = $q->param('foo');
>
> open OF, "> /tmp/$foo";
>
> print OF "blah blah blah";
> close OF;
>
> print "Content-type: text/html\n\n";
>
> print "Taint: ${^TAINT}<br>";
>
> print "done<br>";
>
> Behaves normally when run without mod_perl, i.e. it tosses 500 errors
> and screams bloody murder. However with the following setup: (only
> relevant parts shown)
>
> PerlTaintCheck On
> PerlWarn On
>
> <VirtualHost *:80>
> Alias /cgi-bin/ /usr/lib/cgi-bin/
>
> <Directory /usr/lib/cgi-bin>
> Options +ExecCGI -Multiviews
>
> SetHandler perl-script
> PerlOptions +ParseHeaders
> PerlResponseHandler ModPerl::Registry
> </Directory>
>
> </VirtualHost>
>
> The cgi runs without error, opening files under /tmp based on CGI
> parameter inputs. The taint mode flag shows that taint mode is enabled,
> and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the
> same with both PerlTaintCheck On and PerlSwitches -T.
>
> What am I missing? I have production code that is apparently not as
> protected as I would like.
>
> Thanks in advance.
>
> --
> -Nik
>
>
