perleager has asked for the wisdom of the Perl Monks concerning the following question:

Hey all,

I want to start using Taint mode for a script I'm building that requires retrieving an uploaded file from a input in a form.

When trying to use the -T switch, it gives the message: Too late for "-T" option at upload_test.pl line 1.

This node is basically similar to: http://perlmonks.org/index.pl?node_id=22210

The last post by user doran is probably my best solution.

I'm running Windows IIS and my registry key for perl scripts is :
c:\perl\bin\perl.exe %s %s

Now to fix this, Doran says to modify that line to:
c:\perl\bin\perl.exe -T %s %s

A question before doing this. Will it affect all perl scripts ran? I never used the taint mode and wondering would I need to change a lot of work in my scripts. Most of my scripts involves user input!...Such as signing up for membership where the script collects all user info to be added in a MySQL db and a simple password retrieval script that takes the user's e-mail from a input box.

Should I seriously take in consideration to taint all those scripts? This site may have a lot of hits so security may be a concern. I wish I knew about tainting and untainting earlier, I just went through all my scripts to incorporate the strict command and now I might need to do a similar re-editing process! ahhh... =)

Thank you,

Anthony

Replies are listed 'Best First'.
Re: Another Taint question on Windows
by tachyon (Chancellor) on Apr 13, 2004 at 11:31 UTC

    Win32 maps file extension to executable. To have the best of both worlds leave current .pl extension and perl.exe association intact.

    First create a new extension - say .plt In explorer Tools|Folder Options|File Types|New and link it to perl.exe. Then for IIS add .plt to the scriptmap 

    .pl     C:\perl\bin\perl.exe %s %s
.plt    C:\perl\bin\perl.exe -T %s %s

    [download]

    This will associate the taint mode perl with .plt. Now all your current .pl scripts continue to run without taint mode. If you want taint mode just change the file extension from .pl to .plt.

    There is a thread from ? dws on this somewhere here. Update Found it for you: Re: -T t t t t t o o late folks

    cheers

    tachyon

[reply]
[d/l]
Re: Another Taint question on Windows
by matija (Priest) on Apr 13, 2004 at 11:22 UTC
    Will it affect all perl scripts ran? All scripts run by IIS, but not the scripts run from the console, is my impression.

    I never used the taint mode and wondering would I need to change a lot of work in my scripts. If you've never used taint mode, I think it's a safe bet you would have to change a lot. However, if you have written your programs in a modular manner, so that you process your input in one place, your changes could quite conceivably be fairly simple to apply.

    If the site will have many users, then you should already be checking your input (in effect doing what taint forces you to do, and taint will only help you find areas where you forgot to do it. If you aren't checking your inputs on such a public site, you are sorely tempting fate.

[reply]

Back to Seekers of Perl Wisdom