Nemp has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks,

I'm in a bit of a quandry and would appreciate any help or advice you can offer me. I've just started playing with the CGI module rather than trying to hand-roll my own Perl CGI scripts and everything was going fine until I turned on taint checking...

I've copied the code I'm using to the end of this post (it's very basic and I can't see any problems with it, it also runs fine at the command line in my linux install but needs a command line argument '-T' from windows 98 with activestate Perl).

My problem is this: the script will not run on my web-server (hosted on Windows 2000) so long as the 'T' for taint checking exists on the shebang line. I've contacted the customer service for my host to ask them if they have a problem but the reply is 'Our Perl interpreter works correctly, your script is coded badly'.

So basically is there an error in the way I'm using taint-checking in my code?? (Yes I know it's not necessary for the code I've pasted here but this is just a little example) And if there isn't an error in this code - is my provider being straight with me telling me that their 'Perl interpreter' is set up correctly? Or is the '-T' option really new and maybe unsupported by them?

Thanks for your time!
Neil 

#!/usr/bin/perl -wT
use strict;
use CGI;

my $q = new CGI;
print $q->header,                    
    $q->start_html('hello world'), 
    $q->h1('hello world'),         
    $q->end_html;

[download]

Replies are listed 'Best First'.
Re: Perl hosting setup and taint check.
by TStanley (Canon) on Aug 12, 2002 at 11:37 UTC
    The problem you are having is that in Windows you need to make the file association. If you are using a ".cgi" extension on your files, you will need to change the association for that file. When you change the association, add the -T switch to the end of the perl command line.

    TStanley
    --------
    Never underestimate the power of very stupid people in large groups -- Anonymous
[reply]
[reply]

      I'm using a ".pl" extension on my files. The webhost I am using shares access to the Perl interpreter so I don't think they will change the command line for when Perl scripts are invoked just for me :(. (I'll try though!!)

      Is there anything I can tell my hosting company to do in regards to their Perl interpreter to allow me to use taint checking?

      Thanks,
      Neil

[reply]
      I copied your script exactly, and it ran fine under Apache on Red Hat 7.3 Linux. If the webserver is on a Windows 2000 platform, I seriously doubt the location of "perl" is "/usr/bin/perl" like you specified in the top #! line - I would expect to see something starting with "c:" with backslashes like "c:\path\to\perl". HTH.
[reply]

        Sorry for any possible confusion, that was left in since I checked the script on my linux box at home. Saying that, I was under the impression that the location of Perl specified in the #! line didn't affect running at all under Windows (except for the modifiers after like -w etc.) Am I incorrect in this assumption?

        Many thanks,
        Neil

[reply]
Re: Perl hosting setup and taint check.
by Jaap (Curate) on Aug 12, 2002 at 11:25 UTC
    Are you allowed to view the Webserver's error log so you can see some description of the error? If so, what's the error?
[reply]

      Unfortunately I don't have access to the error log (as far as I'm aware and have been able to find out). I've just found a recipe in the Perl Cookbook to save my errors elsewhere though so I'll try that when I get some free time :)

      Thanks for the idea!
      Neil

[reply]
Re: Perl hosting setup and taint check.
by dws (Chancellor) on Aug 12, 2002 at 17:03 UTC
    the script will not run on my web-server (hosted on Windows 2000) so long as the 'T' for taint checking exists on the shebang line.

    This is an IIS configuration issue. Inside of IIS, there's a thing called a "script map", which is a mapping of file extensions to command templates. This map determines what script to invoke to handle CGIs, depending on their extension. Typically, there'll be an entry that reads   ".cgi"   "c:/perl/bin/perl.exe %s %s" This is where you need to add the -T. Unfortunately, it's al all-or-nothing affair. If you add -T here, then all .CGI scripts are now taint-checked, whether they're ready for it or not.

    This is one of several reasons why IIS on a shared web server sucks.

    A typical workaround is to add a new script type (e.g, ".cgx"), and set up the script map to look like   ".cgx"   "c:/perl/bin/perl.exe -T %s %s" The script map is accessible through the IIS administrative control panel.

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom