Re: How to turn off taint checking in cgi
- From: Lars Eighner <usenet@xxxxxxxxxxxxxxx>
- Date: 11 Jul 2007 11:41:13 GMT
In our last episode, <5fjgrdF3dh7qlU1@xxxxxxxxxxxxxxxxxx>, the lovely and
talented Clenna Lumina broadcast on comp.lang.perl.misc:
Paul Lalli wrote:
On Jul 10, 9:18 am, Lars Eighner <use...@xxxxxxxxxxxxxxx> wrote:
How can I turn off taint checking in a perl cgi script?
By removing the -T option from the shebang in the script and/or the
perl executable line in your webserver configuration file.
I don't ever recall seeing anything like that in Apache.
I have now handed you a loaded hand gun and taught you how to point it
at your head. Good luck.
It's amazing how it's always assumed that there isn't a valid reason for
a question like this. The OP may have a perfectly good reason for doing
what he's doing
Well, as a matter of fact I do. I am putting together tools to use
to build static pages which are then uploaded to a server which is actually
open to the public, unlike my local one. I've got one user. Me.
(like, say, debugging in some way), even if we don't
know what it is. Granted, there's nothing wrong with reiterating a
danger where danger potentially exists, but at the same time, it seems
some people act too much like a "parental controls" mechanism, which
only serves to take the focus from the original question itself.
Give warning, by all means, but please try to address the question
itself.
AFAIK, if you are using setuid perl (where tainting is on by default,
iirc), then a common method is using a c wrapper that's suid'ed to the
desired user and executes the script, returning the output.
Well, apparently it is an apache problem -- or at least I have an
apache problem. I cannot get suexec to work on 2.0.x; and nothing
containing backticks, system, etc. works. Similar things also do not
work in sh scripts (although of course everything runs fine from the
commandline). Perl (when taint is given sneering lip service) and sh
scripts work fine with apache 1.3.xx, but I don't have a php5 module that
works with that. Likewise with versions of apache above 2.0.xx -- no
php handler.
Yes. I have compiled and installed five versions of apache in the last 24
hours, and still cannot get a combination that will do both php5 and
cgi, although each of them will do one or the other.
Look folks, I'd like to sell you my new super secure Server-Scripting
combination. It's called Rock v. 1.0. It is unhackable. It won't
execute malicious code, because it won't execute any code at all.
You can put it on your desk or collocate it -- like on the ground with other
rocks. And you don't have to worry about your data, because it doesn't have
any of your data. It's a Rock. And that seems to be what developers are
trying to create.
Hell, if I ran Windoz, it would be just as useless but at least I could
watch the ripped-off videos on you tube.
--
Lars Eighner <http://larseighner.com/> <http://myspace.com/larseighner>
Countdown: 559 days to go.
Friends of Lizbeth: help replace failed a/c at Austin's no-kill shelter
<https://secure.groundspring.org/dn/index.php?aid=12349>
.
- Follow-Ups:
- Re: How to turn off taint checking in cgi
- From: anno4000
- Re: How to turn off taint checking in cgi
- References:
- How to turn off taint checking in cgi
- From: Lars Eighner
- Re: How to turn off taint checking in cgi
- From: Paul Lalli
- Re: How to turn off taint checking in cgi
- From: Clenna Lumina
- How to turn off taint checking in cgi
- Prev by Date: Re: PERL/HTML: extract repetitive information
- Next by Date: Re: PERL/HTML: extract repetitive information
- Previous by thread: Re: How to turn off taint checking in cgi
- Next by thread: Re: How to turn off taint checking in cgi
- Index(es):
Relevant Pages
|
