[Pdx-pm] [csieh at fnal.gov: Re: Horribly Broken RHEL5/SL5 Perl]
Erik Hollensbe
erik at hollensbe.org
Tue Aug 26 11:44:28 PDT 2008
On Tuesday 26 August 2008 11:12:39 Daniel Johnson wrote:
> > The next important step is to always invoke perl with:
> > #!/usr/bin/env perl
> > Do not use:
> > #!/usr/bin/perl
>
> The /usr/bin/env trick has significant security considerations.
> Consider a cgi example.
>
> http://example.com/cgi/submit.pl?PATH=/tmp
>
> Which would run whatever is called perl in the temp directory instead
> of calling the real perl to compile, and run the cgi script.
What CGI library shoves the parameters from GET/POST directly into the
environment? Or is that some part of the spec I wasn't aware of?
-Erik
More information about the Pdx-pm-list
mailing list