SPUG: PERL5LIB is tainted

Darren/Torin/Who Ever... torin at daft.com
Tue May 23 03:20:49 CDT 2000


Kim Goldov, in an immanent manifestation of deity, wrote:
>As a workaround, I decided to set PERL5LIB to the test library location in
>the httpsd.conf file using the Apache directive, SetEnv. This works to set
>the PERL5LIB variable, however with taint checking active in the scripts,
>the PERL5LIB variable is ignored (doesn't produce a taint violation) and
>does not affect the @INC path. Is there some way I can launder PERL5LIB
>before perl tries to add it to the @INC path, or must I try a different
>approach to solve my problem?

There is no way to launder PERL5LIB before Perl tries to add it to the
@INC path.

Something that occurred to me as I read this though.  Warning: I didn't
test this all together although I've done each of the parts at different
times.

1) Create two files, Dev_Host1.pm and Dev_Host2.pm
Dev_Host1.pl:
use lib "/usr/local/path-to-first-host-require-dir";
Dev_Host2.pl:
use lib "/usr/local/path-to-second-host-require-dir";

Inside your apache configuration files:
<IfDefine DEV_HOST1>
  PerlRequire Dev_Host1.pl
</IfDefine>
<IfDefine DEV_HOST2>
  PerlRequire Dev_Host2.pl
</IfDefine>

Then start up apache with either:
$ apache -DDEV_HOST1
or
$ apache -DDEV_HOST2

as appropriate.

This should handle the taint just fine.

Darren
-- 
<torin at daft.com> <http://www.daft.com/~torin> <torin at debian.org> <torin at io.com>
Darren Stalder/2608 Second Ave, @282/Seattle, WA 98121-1212/USA/+1-800-921-4996
@ Sysadmin, webweaver, postmaster for hire. C/Perl/CGI/Pilot programmer/tutor @
@		     Make a little hot-tub in your soul.		      @

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
 Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/
 For Subscriptions, Email to majordomo at pm.org:  ACTION  spug-list  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email address





More information about the spug-list mailing list