[Purdue-pm] Problem with she-bang and PERL5OPT

Fri Nov 21 06:01:54 PST 2014

Thanks for the info on mod_perl Mark.  I agree that we should migrate to mod_perl. We’ve been meaning to do that for years but since our performance is usually not that bad (except for when we code poorly) it has been low on the list and high on the “let’s not break things” fear — despite it reportedly being a safe thing to do.   

Unfortunately mod_perl does not allow individual programs to run in ‘taint’ mode so it is not an answer to my question of how to run programs in non-taint mode.   However I’ll take your endorsement of mod_perl to be a vote in favor of running ‘taint’ globally.  So far 1:for, 0:against.

=====

Oh, I haven’t mentioned how I run ‘taint’ in my web-based programs. I do so by specifying explicitly the perl path.  I.e., no use of ‘/usr/bin/env perl’.  But this means the program has to be changed to use newer versions of perl and is also vulnerable to its version of perl disappearing from the system.  Something we recently ran into thus my recent questions.    Dave, on the other hand, doesn’t use ‘taint’ so he can use /usr/bin/env.    Since ‘taint’ — similar to ‘strict’ and ‘warnings’ and even unit testing — is just a crutch to help proper coding there is not an absolute need for it.

--
Rick Westerman
westerman at purdue.edu

> On Nov 21, 2014, at 8:24 AM, Mark Senn <mark at ecn.purdue.edu> wrote:
> 
> Rick Westerman <westerman at purdue.edu> wrote on 2014-11-21 at 22:27:
> |  If someone has a suggestion on how to run individual web programs using
> |  taint I am all ears.
> 
> SUMMARY
> 
> Use mod_perl.  See  http://modperlbook.org/html/6-5-2-2-Taint-mode.html
> 
> DETAILS
> 
> From   http://perl.apache.org/start
> 
>    Accelerate your existing dynamic content
> 
>    The standard Apache::Registry module can provide 100x speedups for
>    your existing CGI scripts and reduce the load on your server at the
>    same time. A few changes to the web server's config is all that is
>    required to run your existing CGI scripts at lightning speed. more »
> 
> Which links to   http://perl.apache.org/start/tips/registry.html
> (excerpt here)
> 
>    Existing CGI scripts will run much faster under mod_perl. And converting
>    existing CGI scripts to run under mod_perl is easy.
> 
>    For example, here's an existing CGI script called hello.cgi.
> 
>        #!/usr/local/bin/perl -w
>        use strict;
>        use CGI;
>        my $q = CGI->new;
>        print $q->header,
>              $q->start_html,
>              $q->h1('Hello World!'),
>              $q->end_html;
> 
>    This script can now be run as-is under Apache::Registry by using the
>    following configuration in httpd.conf:
> 
>        <Files hello.cgi>
>            SetHandler perl-script
>            PerlHandler Apache::Registry
>            Options ExecCGI
>        </Files>
> 
>    That's basically it. Your scripts do need to be well coded, but there's
>    even the Apache::PerlRun module to help with those "less clean"
>    programs.
> 
>    So how much faster do scripts run under Apache::Registry? Obviously, it
>    depends on the script, but the hello.cgi script above ran at 7.3
>    requests per second as a CGI script and 243.0 requests per second with
>    Apache::Registry.
> 
>    For more information on running CGI scripts under mod_perl please
>    see the CGI to mod_perl Porting section of The Guide.
> 
> From   http://modperlbook.org/html/6-5-2-2-Taint-mode.html
> 
>    Since the -Tswitch can't be turned on from within Perl (this is because
>    when Perl is running, it's already too late to mark all external data as
>    tainted), mod_perl provides the PerlTaintCheck directive to turn on
>    taint checks globally. Enable this mode with:
> 
>        PerlTaintCheck On
> 
>    anywhere in httpd.conf (though it's better to place it as early as
>    possible for clarity).
> 
> I was a technucial editor for Sams Publishing's ``mod_perl Developer's
> Cookbook''.  (I use logical punctuation---see
> http://www.slate.com/articles/life/the_good_word/2011/05/the_rise_of_logical_punctuation.html
> .)
> The book's website is at   http://www.modperlcookbook.org   .
> 
> (Technical editors read text, run examples, give feedback on how to most
> clearly express ideas, check table of contents, check indices, etc.--if
> you're interested in money don't be a technical editor---it takes so
> long to do a good job and pays so little you'll make more money working
> for McDonald's.)
> 
> When I used mod_perl over ten years ago I was very impressed with the software.
> 
> -mark