[Purdue-pm] Problem with she-bang and PERL5OPT

Fri Nov 21 06:51:27 PST 2014

On Thu Nov 20 22:27:25 2014, Rick Westerman <westerman at purdue.edu> wrote:
> Others:  Yes, I know that setting PERL5OPT outside the program will
> carry through.  That isn’t possible in my scenario — executing Perl
> programs via Apache (the only real reason to use taint in the first
> place) unless we make all programs use taint.   If someone has a
> suggestion on how to run individual web programs using taint I am
> all ears.  

Rick,

You are mistaken.  You can use a wrapper script (with or without
apache) to set environment variables that will be passed to perl or
other scripts.

Let your perl script be /opt/scripts/job1
Let your Apache CGI directory be /opt/cgi-bin

Here is /opt/cgi-bin/taint: (not tested)
----------------------------------------------------------------------
#!/bin/bash
# wrapper script for running perl with taint mode enabled

# set any arbitrary shell environment vars
# or assume sane ones are inherited from apache config
PATH=/usr/bin:/any/other/safe/paths
PERL5OPT=-T

# directory containing perl programs
cgiroot=/opt/scripts
script=$cgiroot/$1

# run the script which is passed as an argument from apache
if [[ -r $script ]]; then
  perl -T $script
else
  echo "$0: script $script not found"
  exit 1;
fi
----------------------------------------------------------------------

To invoke, use web address: http://my.server.com/cgi-bin/taint/job1

In the taint script given above, the actual perl script is invoked
with "perl -T" so the shell script didn't need to set the PERL5OPT
variable, nor does the /opt/scripts/job1 perl script even need to
have its execute bit set or have a #! as the first line.

The rationale for keeping the actual scripts outside the apache CGI
directory is so someone cannot avoid the wrapper script and invoke the
script directly from a web address (and bypass taint mode.)
Nonetheless, you might as well put in a check in your perl script to
stop if taint mode isn't enabled.

Getting back to perl, I wonder why you can't just turn on taint mode
with a "use taint;" directive along the lines of "use warnings;".  I
read that it is "too late" to enable it once the program starts, but
don't understand why. 

That seems to be what this module provides:
http://search.cpan.org/~sharyanto/tainting-0.01/
But, it appears to be a proof of concept.

Another, older, probably abandoned module along similar lines is:
http://search.cpan.org/~rhandom/Taint-Runtime-0.03/
Its documentation specifically mentions the use case of migrating lots
of apache cgi scripts one at a time to using taint mode, which is
exactly what you appear to want to do.

-Doug