Re^2: cgi/perl/fortran web program

This is clearly a workaround.

Not necessarily. Since it sounds like you're writing these scripts for a single server, and you are in control of in which paths the binaries are located on this server, then I think removing the dependence on the PATH environment variable by using absolute paths is an acceptable solution. Not only that, there have been security holes in which the PATH was manipulated, causing malicious programs to be executed instead of the real ones (which is one of the reasons that Perl's taint mode requires you to set your own $ENV{PATH}). Of course you don't need to hard-code the binaries' paths into every CGI script, you could for example use a configuration file at a known location.

Ensuring that PATH is set to a known value is also a solution of course, I just wanted to point out that despite all the teachings that hard-coding values is bad, absolute pathnames can still be useful :-)

Regards,
-- Hauke D

Comment on Re^2: cgi/perl/fortran web program Select or Download Code

Replies are listed 'Best First'.
Re^3: cgi/perl/fortran web program by hippo (Archbishop) on Dec 15, 2016 at 09:49 UTC
which is one of the reasons that Perl's taint mode requires you to set your own $ENV{PATH} This is the crux, I think. sverrill should absolutely be using taint mode for such a CGI script in the first place. This means (as haukex rightly says) that `$ENV{PATH}` should be explicitly set inside the script. Combining that with the one-server nature of this deployment means that I would suggest putting all your executable programs for the script to use in one directory which you specifically create for this purpose. Setting `$ENV{PATH}` to be just this directory then further limits the damage which could potentially be done. Never underestimate the chance that some miscreant could send a specially crafted request and break your script in a system-harming way. Try also to avoid the hubris which tells you that your script lacks such vulnerabilities. In summary: CGI means taint mode, always. Taint mode means setting a $ENV{PATH} restricted to specific directories or completely empty. Not a panacea, but solid, sensible precaution. Good luck.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^3: cgi/perl/fortran web program
by hippo (Archbishop) on Dec 15, 2016 at 09:49 UTC

which is one of the reasons that Perl's taint mode requires you to set your own $ENV{PATH}

This is the crux, I think. sverrill should absolutely be using taint mode for such a CGI script in the first place. This means (as haukex rightly says) that $ENV{PATH} should be explicitly set inside the script. Combining that with the one-server nature of this deployment means that I would suggest putting all your executable programs for the script to use in one directory which you specifically create for this purpose. Setting $ENV{PATH} to be just this directory then further limits the damage which could potentially be done.

Never underestimate the chance that some miscreant could send a specially crafted request and break your script in a system-harming way. Try also to avoid the hubris which tells you that your script lacks such vulnerabilities.

In summary:

CGI means taint mode, always.
Taint mode means setting a $ENV{PATH} restricted to specific directories or completely empty.

Not a panacea, but solid, sensible precaution. Good luck.

[reply]
[d/l]
[select]