[Purdue-pm] Problem with she-bang and PERL5OPT
Doug Yatcilla
yatcilla at purdue.edu
Fri Nov 21 06:51:27 PST 2014
On Thu Nov 20 22:27:25 2014, Rick Westerman <westerman at purdue.edu> wrote:
> Others: Yes, I know that setting PERL5OPT outside the program will
> carry through. That isn’t possible in my scenario — executing Perl
> programs via Apache (the only real reason to use taint in the first
> place) unless we make all programs use taint. If someone has a
> suggestion on how to run individual web programs using taint I am
> all ears.
Rick,
You are mistaken. You can use a wrapper script (with or without
apache) to set environment variables that will be passed to perl or
other scripts.
Let your perl script be /opt/scripts/job1
Let your Apache CGI directory be /opt/cgi-bin
Here is /opt/cgi-bin/taint: (not tested)
----------------------------------------------------------------------
#!/bin/bash
# wrapper script for running perl with taint mode enabled
# set any arbitrary shell environment vars
# or assume sane ones are inherited from apache config
PATH=/usr/bin:/any/other/safe/paths
PERL5OPT=-T
# directory containing perl programs
cgiroot=/opt/scripts
script=$cgiroot/$1
# run the script which is passed as an argument from apache
if [[ -r $script ]]; then
perl -T $script
else
echo "$0: script $script not found"
exit 1;
fi
----------------------------------------------------------------------
To invoke, use web address: http://my.server.com/cgi-bin/taint/job1
In the taint script given above, the actual perl script is invoked
with "perl -T" so the shell script didn't need to set the PERL5OPT
variable, nor does the /opt/scripts/job1 perl script even need to
have its execute bit set or have a #! as the first line.
The rationale for keeping the actual scripts outside the apache CGI
directory is so someone cannot avoid the wrapper script and invoke the
script directly from a web address (and bypass taint mode.)
Nonetheless, you might as well put in a check in your perl script to
stop if taint mode isn't enabled.
Getting back to perl, I wonder why you can't just turn on taint mode
with a "use taint;" directive along the lines of "use warnings;". I
read that it is "too late" to enable it once the program starts, but
don't understand why.
That seems to be what this module provides:
http://search.cpan.org/~sharyanto/tainting-0.01/
But, it appears to be a proof of concept.
Another, older, probably abandoned module along similar lines is:
http://search.cpan.org/~rhandom/Taint-Runtime-0.03/
Its documentation specifically mentions the use case of migrating lots
of apache cgi scripts one at a time to using taint mode, which is
exactly what you appear to want to do.
-Doug
More information about the Purdue-pm
mailing list