[Purdue-pm] Problem with she-bang and PERL5OPT

Fri Nov 21 07:39:17 PST 2014

----- Original Message -----
> On Thu Nov 20 22:27:25 2014, Rick Westerman <westerman at purdue.edu>
> wrote:
> > Others: Yes, I know that setting PERL5OPT outside the program will
> > carry through. That isn’t possible in my scenario — executing Perl
> > programs via Apache (the only real reason to use taint in the first
> > place) unless we make all programs use taint. If someone has a
> > suggestion on how to run individual web programs using taint I am
> > all ears.
> 
> Rick,
> 
> You are mistaken. You can use a wrapper script (with or without
> apache) to set environment variables that will be passed to perl or
> other scripts.

Just exactly what I said ... or at least what I meant to say. I know that setting PERL5OPT (or any env variable) outside my program and having it passed to my program is possible.  Using a script to run my program is exactly that.  Setting vars on the command line before running my program is exactly that.  Setting vars inside Apache is exactly that.  At least three different methods. What is not possible (for RedHat/RCAC but not for MacOS) is setting the variables on the shebang line.  I am now convinced of that.  Irritating but now to implement a work-around.

Doug:  If you want to install a 'taintperl' program in 5.20's path I'll use that.   Simply taking the given program and executing it with 'perl -T' should be sufficient.  Or I can do the install if you prefer.  If I put '#!/usr/bin/env taintperl' on the shebang line then even if the program is in the 'cgi-bin' it will be taint-protected.  No need to move it outside the directory.  By not doing the move it makes the transition of other programs to 'taint' that much easier. Thanks!

As for your comment about 'use taint;' similar to 'use strict'  -- yeah, I wonder about that myself.  There is some sort of deep internal-to-Perl-compiling timing issue here that I don't understand.

As for Taint-Runtime-0.03.  It indeed hasn't been developed for a while; since 2005.  Does that mean it is obsolete? Or just so perfectly done that it does not need improving? Or is it just overkill?  Certainly the comments in the documentation all address my concerns; i.e., migrating one program at a time, not being able to use '-T' from the shebang line.  Anyway implementing a 'taintperl' program seems more straight-forward.

-- Rick

> 
> Let your perl script be /opt/scripts/job1
> Let your Apache CGI directory be /opt/cgi-bin
> 
> Here is /opt/cgi-bin/taint: (not tested)
> ----------------------------------------------------------------------
> #!/bin/bash
> # wrapper script for running perl with taint mode enabled
> 
> # set any arbitrary shell environment vars
> # or assume sane ones are inherited from apache config
> PATH=/usr/bin:/any/other/safe/paths
> PERL5OPT=-T
> 
> # directory containing perl programs
> cgiroot=/opt/scripts
> script=$cgiroot/$1
> 
> # run the script which is passed as an argument from apache
> if [[ -r $script ]]; then
> perl -T $script
> else
> echo "$0: script $script not found"
> exit 1;
> fi
> ----------------------------------------------------------------------
> 
> To invoke, use web address: http://my.server.com/cgi-bin/taint/job1
> 
> In the taint script given above, the actual perl script is invoked
> with "perl -T" so the shell script didn't need to set the PERL5OPT
> variable, nor does the /opt/scripts/job1 perl script even need to
> have its execute bit set or have a #! as the first line.
> 
> The rationale for keeping the actual scripts outside the apache CGI
> directory is so someone cannot avoid the wrapper script and invoke the
> script directly from a web address (and bypass taint mode.)
> Nonetheless, you might as well put in a check in your perl script to
> stop if taint mode isn't enabled.
> 
> Getting back to perl, I wonder why you can't just turn on taint mode
> with a "use taint;" directive along the lines of "use warnings;". I
> read that it is "too late" to enable it once the program starts, but
> don't understand why.
> 
> That seems to be what this module provides:
> http://search.cpan.org/~sharyanto/tainting-0.01/
> But, it appears to be a proof of concept.
> 
> Another, older, probably abandoned module along similar lines is:
> http://search.cpan.org/~rhandom/Taint-Runtime-0.03/
> Its documentation specifically mentions the use case of migrating lots
> of apache cgi scripts one at a time to using taint mode, which is
> exactly what you appear to want to do.
> 
> -Doug

-- 
Rick Westerman 
westerman at purdue.edu

Bioinformatics specialist at the Genomics Facility.
Phone: (765) 494-0505           FAX: (765) 496-7255
Department of Horticulture and Landscape Architecture
625 Agriculture Mall Drive
West Lafayette, IN 47907-2010
Physically located in room S049, WSLR building