[Pdx-pm] [csieh at fnal.gov: Re: Horribly Broken RHEL5/SL5 Perl]

chromatic chromatic at wgz.org
Tue Aug 26 12:51:14 PDT 2008


On Tuesday 26 August 2008 11:12:39 Daniel Johnson wrote:

> > The next important step is to always invoke perl with:
> > #!/usr/bin/env perl
> > Do not use:
> > #!/usr/bin/perl

> The /usr/bin/env trick has significant security considerations.
> Consider a cgi example.
>
> http://example.com/cgi/submit.pl?PATH=/tmp
>
> Which would run whatever is called perl in the temp directory instead
> of calling the real perl to compile, and run the cgi script.

How do you have your webserver coonfigured such that that's an issue?  I've 
never seen query parameters put into %ENV.

-- c


More information about the Pdx-pm-list mailing list