Taint CGI param on IIS

Discipulus has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks!!

I'm use unfortunatly IIS and when I'have started my cgi on this platform I have discovered the Too late for -T switch.. and I have read the wonderful post Alternatives to Taint Checking? and with the following code I try to resolve this deficency:
Could some wise monk review this ??

#!perl -w<P>

 use CGI qw/:all -nph/;
 $POST_MAX=100;
 $DISABLE_UPLOAD=1;
 $q=new CGI;<P>

#et cetera..<P>

$pattern=qr/(\w-]+\.){2,5}[a-zA-Z]{2,4}\b)/;
$good_param_qs=&taint_param('qs',$pattern );<P>

#do staff with almost-tainted param qs...............<P>

sub  taint_param()
 {
  $parametro=shift;
  $matching=shift;
  if ($q->param($parametro)=~/($matching)/){return $1}
  else{print"Invalid parameter!\n\n";return undef}
 }
[download]

greetings from sunny Roma
Lorenzo*

Comment on Taint CGI param on IIS Download Code

Replies are listed 'Best First'.
Re: Taint CGI param on IIS by inman (Curate) on Oct 16, 2003 at 16:13 UTC
The application that is called in reponse to a script is controlled by a list of associations configured in IIS. The method by which you manually make the association between any script and it's executable is described in the ActiveState documentation. Normally the association should have been configured if you selected the right install options. But in brief - Try this: Locate your script directory (e.g. cgi-bin) in the IIS admin console View the properties \| Virtual Directory Tab Press the Configuration button. Either locate or create the .pl entry Enter the details shown below then test your app `Executable = C:\Full\Path\perl.exe -T "%s" %s` `Extension = .pl` `Verbs - Limit to = GET, POST` The perl executable appears to run OK with the extra option but you might want to check that it is actually doing any work! inman	[reply] [d/l] [select]
Re: Taint CGI param on IIS by Abigail-II (Bishop) on Oct 16, 2003 at 10:06 UTC
What exactly is your question? You're not using taint checking, and you're not doing anything that would trigger a taint check anyway. It's also not code that could trigger the message you describe, and there's no taint checking turned on. Abigail	[reply]
Re: Re: Taint CGI param on IIS by Discipulus (Canon) on Oct 16, 2003 at 10:10 UTC
oh scuse me on IIS u cannot turn-on taint check and I ask them if my code could be a almost-valid solutions lor*	[reply]
Re(^3): Taint CGI param on IIS by ajt (Prior) on Oct 16, 2003 at 11:58 UTC
You can run Perl with taint checking switched on, with IIS, though I will admit it's not as easy as with a proper web server such as Apache - which runs very well on NT systems. A long time ago when forced to use NT/IIS I ran into the same problem, and it's normal work-around - Taint with Perl on NT/IIS. -- ajt	[reply]