I don't think that's it, or at least, that's not the way it works on one Linux/Apache configuration. For one thing, $ENV{ PWD } is not even in the environment of CGI scripts (when run under Apache) in this configuration; here are the keys of %ENV, printed from within one such script:
AUTH_TYPE HTTP_KEEP_ALIVE SCRIPT_FILENAME
DOCUMENT_ROOT HTTP_USER_AGENT SCRIPT_NAME
GATEWAY_INTERFACE PATH SERVER_ADDR
HTTP_ACCEPT PERL5LIB SERVER_ADMIN
HTTP_ACCEPT_CHARSET QUERY_STRING SERVER_NAME
HTTP_ACCEPT_ENCODING REMOTE_ADDR SERVER_PORT
HTTP_ACCEPT_LANGUAGE REMOTE_PORT SERVER_PROTOCOL
HTTP_CONNECTION REMOTE_USER SERVER_SIGNATURE
HTTP_COOKIE REQUEST_METHOD SERVER_SOFTWARE
HTTP_HOST REQUEST_URI
Furthermore, if I run the CGI script listed below on my server, untainting the input filename (by passing a non-zero untaint param to the script) is sufficient to appease -T, even though I am creating and unlinking a file in a relative directory (../TRASH); if the filename is not untainted, however, -T kills the script at the unlinking step.
| [reply]
[d/l]
[select] |