[Pdx-pm] [csieh at fnal.gov: Re: Horribly Broken RHEL5/SL5 Perl]
chromatic
chromatic at wgz.org
Tue Aug 26 12:51:14 PDT 2008
On Tuesday 26 August 2008 11:12:39 Daniel Johnson wrote:
> > The next important step is to always invoke perl with:
> > #!/usr/bin/env perl
> > Do not use:
> > #!/usr/bin/perl
> The /usr/bin/env trick has significant security considerations.
> Consider a cgi example.
>
> http://example.com/cgi/submit.pl?PATH=/tmp
>
> Which would run whatever is called perl in the temp directory instead
> of calling the real perl to compile, and run the cgi script.
How do you have your webserver coonfigured such that that's an issue? I've
never seen query parameters put into %ENV.
-- c
More information about the Pdx-pm-list
mailing list