[Pdx-pm] [csieh at fnal.gov: Re: Horribly Broken RHEL5/SL5 Perl]

Erik Hollensbe erik at hollensbe.org
Tue Aug 26 11:44:28 PDT 2008


On Tuesday 26 August 2008 11:12:39 Daniel Johnson wrote:
> > The next important step is to always invoke perl with:
> > #!/usr/bin/env perl
> > Do not use:
> > #!/usr/bin/perl
>
> The /usr/bin/env trick has significant security considerations.
> Consider a cgi example.
>
> http://example.com/cgi/submit.pl?PATH=/tmp
>
> Which would run whatever is called perl in the temp directory instead
> of calling the real perl to compile, and run the cgi script.

What CGI library shoves the parameters from GET/POST directly into the 
environment? Or is that some part of the spec I wasn't aware of?

-Erik


More information about the Pdx-pm-list mailing list