in reply to Re: Re: Why do I need -w in a cgi script
in thread Why do I need -w in a cgi script

What's pretty dumb is to assume you can write perfect tests.

Abigail

Replies are listed 'Best First'.
Re: Re: Why do I need -w in a cgi script
by Melly (Chaplain) on Oct 10, 2003 at 13:24 UTC

    True, but then, as I said, we're still screwed since taint doesn't force you to get the cleaning right

    Look, it's a moot point (who the hell turns off taint checking?), but a valid one. Turning off taint checking on a production script shouldn't make any difference

    Consider - you develop a script, and when you test with taint on, the following generates a warning: 

    foreach(@ARGV){
  `$_`;
}

    [download]
    So you correct it: 
    foreach(@ARGV){
  /(\w*)/;
  $foo = `ls -l $1`;
}

    [download]
    Is this going to be any less secure for running without taint once you've got it to run with taint?

    foreach(@ARGV){
  /(.*)/;
  $foo = `$1`;
}

    [download]
    and is this going to be any less insecure for running with taint?

    Tom Melly, tom@tomandlu.co.uk
[reply]
[d/l]
[select]
      Let's say, you have the following program: 
      #!/usr/bin/perl -T

use strict;
use warnings;

my $file = shift;

open my $fh => $file or die $!;
while (<$fh>) {print}
close $fh;

__END__

      [download]

      A fairly trivial one. Takes only one parameter. You test it with a million files. It all works fine. You remove the '-T' and put it in production, where it's going to be run suid or called by a CGI program, or whatever.

      Then some joker passes "> /some/important/file" as argument. With "-T", perl would not have wiped the content of the file. Without, it will.

      Abigail

[reply]
[d/l]

        I concede! I'm an idiot!

        I'd forgotten (or, more accurately, never noticed) that Taint would allow anything to be done with user-input prior to untainting it with a regex.

        Tom Melly, tom@tomandlu.co.uk
[reply]

In Section Seekers of Perl Wisdom