[Date Prev][Date Next][Thread Prev] [Thread Next][Date Index] [Thread Index]

Taint mode [was: I Can Get To Admin...]

  • From: Gunnar Hjalmarsson  
  • Date: Mon, 18 Apr 2005 01:24:14 +0200
Gunnar Hjalmarsson wrote:
After some research this problem proved to be caused by the fact that James's new server does not like the -T switch on the shebang line, i.e. it generates a fatal error if you try to run a CGI script in "taint mode". 

<snip>

It's kind of weird that a web server does not 'like' it, since running CGI scripts in "taint mode" to a large extent serves the purpose of protecting *the server*.

Tzabaoth replied:
Yahoo! has the same problem. They don't allow the taint mode either.

Richard Lowe replied:
I use activeperl and it does not allow taint mode. 

This is a quote from the Perl 'bible':

<quote>
On the more security-conscious sites, running all CGI scripts under the -T flag isn't just a good idea: it's the law. We're not claiming that running in taint mode is sufficient to make your script secure. It's not, and it would take a whole book just to mention everything that would. But if you aren't executing your CGI scripts under taint mode, you've needlessly abandoned the strongest protection Perl can give you.
</quote>

There are web hosts who *require* taint mode for CGI scripts.

Tzabaoth and Richard: Do you know of any rational, or at least explanation, why the -T switch is disallowed in those environments?

/ Gunnar

References to:
James S. Huggins \(Ringlink List\)
Gunnar Hjalmarsson
[Date Prev][Date Next][Thread Prev] [Thread Next][Date Index] [Thread Index]