Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Confused about Taint

by Anonymous Monk
on Jul 12, 2000 at 19:46 UTC ( [id://22210] : perlquestion . print w/replies, xml ) Need Help??

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi! I keep reading about running CGI scripts with taint mode for security, but when I use the -T switch, I get the following message:
Too late for "-T" option at formtest.cgi line 1.
My shebang line is:
#!/usr/bin/perl -T
(It was #!/usr/bin/perl -Tw but I took the -w off for testing why -T doesn't work).

Can canyone tell me what the error message means and how I can get around it? Thanks monks!!!

Replies are listed 'Best First'.
Re: Confused about Taint
by infoninja (Friar) on Jul 12, 2000 at 19:59 UTC
    It sounds like you're running your script through perl (i.e., executing 'perl formtest.cgi'), rather than executing formtest.cgi directly. This can be reproduced with the following code:
    #!/usr/bin/perl -T print "Test\n";
    This script will give the same error you report if run as 'perl' (with the code saved as, but will run ok if the executable bit is set and the script is run as
    If run as 'perl', perl doesn't start the taint checking until it reaches the -T in the shebang line, at which point perl cannot be certain that the previous part of the script isn't tainted.
Re: Confused about Taint
by Abigail (Deacon) on Jul 12, 2000 at 22:27 UTC
    Can canyone tell me what the error message means and how I can get around it?

    You can!

    All errors perl might issue (and even some non-perl errors) are documented in man perlop. It's very likely that a solution to your problem is found in the manual.

    -- Abigail

Re: Confused about Taint
by Maclir (Curate) on Jul 13, 2000 at 02:16 UTC
    It sounds like you are running under mod_perl. From the mod_perl manual:

    Since the -T switch doesn't have an equivalent perl variable, mod_perl provides the PerlTaintCheck directive to turn on taint checks. In httpd.conf, enable this mode with:

    PerlTaintCheck On
    Now any code compiled inside httpd will be taint checked.

    If you use the -T switch, Perl will warn you that you should use the PerlTaintCheck configuration directive and will otherwise ignore it.

    Now that means you have to have the authority to change your apache config files, and restart the server. I also imagine that all perl cgi programs that run under mod_perl then (check your scriptalias setting) will be taint checked - which may cause other programs to break.


Re: Confused about Taint
by doran (Deacon) on Sep 15, 2000 at 02:50 UTC
    Probably too late to help, but here goes:
    If you're running Windows IIS, you'll need to get into the Registry and modify the key (usually under Script Maps) that executes perl when the server runs your CGI script. Usually, the line reads something like "c:\perl\bin\perl.exe %s %s", but you'll need to edit it to read something like "c:\perl\bin\perl.exe -T %s %s". Of course your particular path and such might vary. Also don't muck around in the Registry unless you're confident you can recover from anything you screw up.
Re: Confused about Taint
by antihec (Sexton) on Jul 12, 2000 at 20:20 UTC
    Hmm just a thought: Does your webserver run mod_perl, and could this be causing that? Or maybe the server is set up to use some kind of wrapper to exec user cgis, and that calls perl? I couldn't think of why... but it might be the path to track down the error: look how perl is executed by your webserver.
    -- bash$ :(){ :|:&};: