Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi. Sorry for an anonymous post. I don't want anyone to find out which company I'm talking about.

I've recently been hired by a company to improve their CGI scripts running on NT using IIS. I don't know anything about NT or IIS. My immediate problem is that none of their CGI scripts use taint checking!

I've tried using -T on the shebang line, but I get a "Too late for -T error". This suggests to me that IIS is firing up the Perl interpreter and THEN passing the script to it. The Perl interpreter needs to have taint checking enabled when it comes up, but I'm not sure how this works.

Here's my dilemma: if I figure out how to enable taint checking with Perl AUTOMATICALLY, then all of their scripts will break and we have too many for me to fix all of them. I need to be able to have IIS read the shebang line and fire up Perl if it's on the shebang line (with whatever switches are passed). If it doesn't find a shebang line, and none of their scripts currently have one, then it should fire up Perl with no taint checking -- otherwise all of their current scripts will break. Is their something funky I can do with extensions?

I know that some of you will tell me to get another job and I just might, but I honestly want to find a way to help them out of this problem. In short, I need a transparent solution that will allow them to write secure scripts using taint checking without breaking anything they already have.

Thanks!

Replies are listed 'Best First'.
(tye)Re: Perl and IIS
by tye (Sage) on Dec 01, 2000 at 00:28 UTC

    I think you'll have to resort to "associating" *.pl with "perl" and *.plt with "perl -T".

            - tye (but my friends call me "Tye")
[reply]
[reply]

        Oh, details. Sorry: 

        assoc .plt=Tainted Perl
ftype Tainted Perl=perl -T "%1" %*

        [download]
        should do the trick.

        Update: Well, that works for many things but may not work for IIS. ):

                - tye (but my friends call me "Tye")
[reply]
[d/l]
Re: Perl and IIS
by mrmick (Curate) on Nov 30, 2000 at 23:42 UTC
    There's a module on CPAN called Taint. I haven't used it but it may be an option....

    Mick
[reply]
      Lamentably, this solution does not quite address the situation that this monk raises. The Taint module does not turn on taint checks. It's primarily a convenient way to test for tainted data. This module does have allow use Taint qw(allow_no_taint);, but this is not likely to have much benefit. As far as I can tell, this allows you to write code which may not have taint checks enabled, but still test to see whether or not data coming into the program is tainted (for instance, if you're writing a module used in a CGI script). The anonymous monk needs a way to turn on taint checks for h(?:is|er) scripts without impacting the way older scripts run.

      Since I haven't used this module before, my understanding of the docs is impaired :) Corrections welcome.

      Cheers,
      Ovid

      Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
Re: Perl and IIS
by PsychoSpunk (Hermit) on Dec 01, 2000 at 00:08 UTC
    One of the things to recall, at least with IIS, is that the shebang isn't used. At all. It's a most annoying feature.

    ALL HAIL BRAK!!!

[reply]
      IIS DOES look at the shebang line for any switches. So if you include -T or -w (or whatever), it'll enable Taint Checking, Warnings (or whatever).

      What IIS ignores is the PATH TO PERL on the shebang line. For example, I begin just about all my CGI scripts with #!/usr/bin/perl -Tw even though perl.exe resides in c:\perl\bin on my NT/2000 boxen. IIS ignores the path, but not the switches.

      As for Taint checking, the only way I know to do this with IIS is to adjust the registry entry used by IIS to launch perl to include the -T switch.

      Good luck...

[reply]
[d/l]

        If you get the "too late for -T" warning, then IIS isn't checking the #! line. Note that Perl itself checks the #! so things like -w work (and this is the point at which it finds -T and decides that it is too late).

                - tye (but my friends call me "Tye")
[reply]

Back to Seekers of Perl Wisdom