dan enright wrote:
> All,
>
> I'll try one last time before I abandon v4.01...
>
> I've installed analog 4.01 on a system running Linux 2.0.36 / i586
>
> Analog runs from the command line and testing the settings gives an
> expected response.
>
> I'm attempting to use the form and anlgform.pl. I've made the following
> modification to anlgform.pl: moved the path to analog down into it's own
> space:
>
> # Unix:
>
> $analog = '/***/***/bin/analog';
>
> # Windows: $analog = 'C:\program files\analog 4.01\analog.exe';
>
> This explains the difference in numbering from the original file. This is the
> path to analog (outside the webspace as suggested).
>
> Without the -T switch, I'm able to run it from the command line. I interpret
> this to mean the path is correct.
>
> When I use the form, I get the following error:
>
> Program Failure
> Analog failed to run or returned an error code.
> Maybe your server's error log will give a clue why.
>
> This appears to be a section of anlgform.pl beginning at line 106.
>
> There are no entries in my error log.
>
> I can run anlgform.pl from the command line. When I run it with the -T
> switch, I get this error message:
> Insecure $ENV{ENV} while running with -T switch at ./anlgform.pl line 83.
>
> This appears to be the line:
> open (ANALOG, "|$analog +g-"); # errors here will get caught on close
>
> When I remove the -T switch it outputs as expected. However it won't
> output via the form (see error above) with (or without) the -T switch.
>
> I get the expected output when I submit:
> http://riccardos.com/cgi-
> riccardosmarket/anl/anlgform.pl?qv=1&LOGFILE=/***/***/***-access-
> log&REQINCLUDE=pages
>
> ie:
> CGI ON
> DNS NONE
> WARNINGS FL
> LOGFILE /***/l***/***-access-log
> (this is correct, I've hidden the path/name for security reasons)
> REQINCLUDE pages
> OUTFILE stdout
>
> But I get the above error message when I submit:
> http://riccardos.com/cgi-
> riccardosmarket/anl/anlgform.pl?LOGFILE=/www/logs/***-access-
> log&REQINCLUDE=pages
>
> Any help would be greatly appreciated.
Dan,
The reason this come up with an error is that Perl is complaining that the
variable sent to the shell command are insecure. That is, with taintedness on
(-T), any variables that are generated outside the program (such as the
environment) are considered insecure and are not allowed to be sent to an
external command.
Testing my copy of anlgform.pl from 4.0 I don't have any problems. But, you could
add this lines to the top of the script to clear up the taintedness problem:
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
If you then get a warning about $ENV{PATH} not being secure, add this line as
well:
$ENV{'PATH'} = '/bin:/usr/bin';
(Assuming /bin and /usr/bin are non-writable by other than owners and group)
HTH,
--
Jeremy Wadsack
Digital Media Consultant
___________________________
Wadsack-Allen Digital Group
http://www.wadsack-allen.com/digitalgroup/
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------
