blahblah has asked for the wisdom of the Perl Monks concerning the following question:

After taking a break from CGI for a while I need some Perlmonk steelwool to brush off the rust. Funny I couldn't find this answered before...
I'm writing a script and thinking about using $ENV{DOCUMENT_ROOT}. How spoof-able is this var? Is there a definitive guide to which apache $ENV vars are able to be spoofed and considered "unsafe" for those of us with short-term memory deficiencies?

Thanks,
Alex
  • Comment on Which apache $ENV are considered "safe"?

Replies are listed 'Best First'.
•Re: Which apache $ENV are considered "safe"?
by merlyn (Sage) on May 19, 2003 at 08:08 UTC
    Variables that start with HTTP_ are direct pass-throughs from browser headers. Other variables are set by various computations within Apache itself.

    So, the quick answer is "absolutely don't trust anything in the HTTP_ list, but the rest can be considered as safe as your operating system".

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]
Re: Which apache $ENV are considered "safe"?
by japhy (Canon) on May 19, 2003 at 06:11 UTC
    As far as I know, $ENV{DOCUMENT_ROOT} is set by the server... it doesn't give the client a chance to tell it what it should be. The "safe" variables are the ones that define the server, not the client.

    _____________________________________________________
    Jeff[japhy]Pinyan: Perl, regex, and perl hacker, who'd like a job (NYC-area)
    s++=END;++y(;-P)}y js++=;shajsj<++y(p-q)}?print:??;

[reply]
[d/l]
Re: Which apache $ENV are considered "safe"?
by PodMaster (Abbot) on May 19, 2003 at 06:35 UTC
[reply]
Re: Which apache $ENV are considered "safe"?
by pzbagel (Chaplain) on May 19, 2003 at 07:26 UTC

    What is "safe" anyway? Perhaps this is why Taint mode does not trust any outside data.

    Just a thought

[reply]
      Safe means that I can trust the data because it is not able to be tampered with (tainted) by user input - malicious or otherwise.
      I am looking for a discussion on which of the apache vars -can- be tainted so that I know what I am getting myself into should I decide to use them. I am especially interested in those vars that are seemingly secure but have a nasty backdoor (because they are the rogues that get you later).
      I'll check out the links above...

      Thanks
      Alex
[reply]
Re: Which apache $ENV are considered "safe"?
by gmpassos (Priest) on May 19, 2003 at 19:11 UTC
    You can't trust in %ENV! Just because you are inside Apache this doesn't mean that Apache generated %ENV.

    You only can trust in some key inside %ENV, after check it. For example, make a code that check if the format is safe, and than use the key (but no one do this, including me).

    You touched in a good point to hack some servers... Specially for persistent process, like in mod_perl, where you can change the memory part of a key directly, since this memory part is there (or can be there) between HTTP queries too. (Specially on Win32)

    Graciliano M. P.
    "The creativity is the expression of the liberty".

[reply]

Back to Seekers of Perl Wisdom