Yes, taking the -T out of the #! line will allow the program to run, but unfortunately, it also doesn't taint check.

#!perl -wT
use strict;

my $bad_stuff = $ENV{HOME};
system($bad_stuff);
[download]

I'm probably rehashing old news, but my testing shows that taint will puke over this whether or not the -T is in the #! line as long as perl is called with -T. But if I run it in the browser without the -T in the #! line, taint doesn't make a peep. This is all while the -T is still in the registry. But I'm probably misunderstanding the situation...

Update: Due to several complaints, removed signature

Sarah

I assume you've given the script a .cgi extension, and that you've located the W3SVC\Parameters\scriptmap in the registry, and have added -T to the value for the .cgi key, and that you've stopped and restarted IIS (or rebooted, for good measure).

If all this is the case, then you should see -T puking on your script when you invoke it through the browser.

I get "Too late for -T" when I also have -T in the #! line, but this may be Perl version-dependent behavior (I'm pretty far out of date on one box. This is probably a good excuse to upgrade.)

Yep, after doing anything in the registry, I always reboot.

I feel as though I'm miscommunicating. I'm not using IIS, I'm using PWS (Personal Web Server). I realize that these can be considered the same in some respects, but for all I know, that isn't the case here. The only way I've found to manipulate the Script Map is to edit the registry. You mentioned playing with this through the Internet Service Manager - I don't think I have that.

My biggest problem with taking the -T out of the #!, is that it does not appear to be taint checking at all. The code I posted earlier should make taint tell me that it's insecure, but it simply doesn't. This is why I'm going to the trouble of uploading to my webhost to make sure my code runs cleanly in taint.

Update: Due to several complaints, removed signature

Sarah

I solved the problem and have no experience in Perl or IIS (I guess now I have a little) All you have to do is this: Relates to IIS 5 or higher using ActivePerl 5.x for Win32 using ISAPI. Go into the properties of CGI virtual directory.. Click "Configuration" button on the Virtual Direcotry tab Click on your .pl extension and click edit Edit the line to reflect C:\perl\bin\perl.exe -T "%s" %s Apply changes.

I probably should have said "after you added it to the scriptmap."

There are two ways to edit the scriptmap. The common one is to use one of the registry editing tools (e.g., regedit) and then to restart IIS (and reboot if you're on Win98!)

The less common way is to use the Internet Service Manager, which makes you jump through five hoops to find where to access to the scriptmap.