Re: taint mode, libraries and file path

In case the previous post wasn't clear, you can go back to using:

use lib "..";
[download]

In your development environment. That has nothing to do with the message you're getting. As was said, you need to set $ENV{PATH} to some value before doing a call to any external program.

Incidentally, the reason you haven't hit this in production is likely because your production server is calling CGI scripts with no PATH set in the environment. This means that your production scripts will suddenly break if someone tweaks the existing Apache configuration file and adds:

SetEnv PATH /bin:/usr/bin
[download]

to the Apache configuration. This is a ticking bomb, and waiting for someone else to break it in this fashion. You might want to put:

$ENV{PATH} = q[/bin:/usr/bin];
[download]

at the top of your production scripts as soon as is feasible.

--
@/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/;
map{y/X_/\n /;print}map{pop@$_}@/for@/
[download]

Comment on Re: taint mode, libraries and file path Select or Download Code

Replies are listed 'Best First'.
Re^2: taint mode, libraries and file path by tilly (Archbishop) on Aug 22, 2005 at 06:35 UTC
In fact I'd go further and suggest explicitly wiping out %ENV, and only setting the items that you need. That will eliminate time bombs from various modules that might use environment variables in unexpected ways. (Particularly cases where after an upgrade, the module adds an environment variable that it didn't use before.) Note that if you really did want something like PATH to be settable, you can untaint it (presumably with a sanity check) and set the value to the untainted version.	[reply]
Re^3: taint mode, libraries and file path by fizbin (Chaplain) on Aug 22, 2005 at 13:55 UTC
Good point. Note that perl's taint mode doesn't guard against other wild variables, such as LD_LIBRARY_PATH or LD_PRELOAD, both of which are on many systems just as dangerous as PATH. `-- @/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/; map{y/X_/\n /;print}map{pop@$_}@/for@/` [download]	[reply] [d/l]
Re^4: taint mode, libraries and file path by danmcb (Monk) on Aug 22, 2005 at 21:50 UTC
thank you all muchly for the help. I did get a fix by setting $ENV{PATH} = '' which is fine for now. I use other parts of ENV quite a lot though, esp REMOTE_USER as I am using htaccess and need to identify people. I realise it os not the most secure method, but it's fine for what I want. To be honest, I don't completely understand ENv and PATH and what they really do - I need to do some Apache reading I guess. Thanks again for the help	[reply]