httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject Re: cvs commit: httpd-test/perl-framework/Apache-Test/lib/Apache TestConfig.pm TestConfigParse.pm
Date Thu, 06 Sep 2001 13:30:20 GMT
On Thu, 6 Sep 2001, Gary Benson wrote:

>
> On 6 Sep 2001 stas@apache.org wrote:
>
> > stas        01/09/05 19:36:44
> >
> >   Modified:    perl-framework/Apache-Test/lib/Apache TestConfig.pm
> >                         TestConfigParse.pm
> >   Log:
> >   - enable taint mode in tests via PerlSwitches -T
> >   - untaint $ENV{PATH} before using open "-|"
>
> [snip]
>
> >   diff -u -r1.7 -r1.8
> >   --- TestConfigParse.pm	2001/08/20 15:20:50	1.7
> >   +++ TestConfigParse.pm	2001/09/06 02:36:44	1.8
> >   @@ -220,6 +220,8 @@
> >
> >        my $version;
> >        my $cmd = "$httpd -v";
> >   +    # untaint
> >   +    $ENV{PATH} = '/bin:/usr/bin';
> >        open my $v, '-|', $cmd or die "$cmd failed: $!";
> >
> >        local $_;
>
> This breaks on mine even though $httpd is an absolute path at this point.

You mean if you don't add the patch from above?

> I'm not familiar enough with Perl to know why this should be, but is there
> a better way (like $ENV{PATH} = '/bin:/usr/bin' unless $httpd =~ m:^/:;).
> Would that successfully untaint it?

It's not about being absolute path or not, it's about opening "-|", which
is insecure if $ENV{PATH} is not untainted.

> I can't tell, since mine doesn't complain about it being tainted at this
> point and I can't figure out a way to make it do so. Why do you need to
> untaint here anyway? Is this something from mod_perl? I'm confused!

What's your Perl version? perl -v ?

It has nothing to do with mod_perl, it's a pure Perl issue (a good one :)
For more information please read the perlsec manpage:

% perldoc perlsec

or as the mod_perl guide suggests:
http://perl.apache.org/guide/help.html#Get_help_with_Perl_CGI:

http://www.gunther.web66.com/FAQS/taintmode.html

_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide
mailto:stas@stason.org   http://apachetoday.com http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/



Mime
View raw message