On 12/9/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Setup: Perl 5.8, WinXP
>
> I have created the code below to test Taint mode. The testapp.exe
> program is actually the standard windows "attrib.exe" but renamed and
> placed in my CWD. The program as it is below works as expected, however if
> swap the comments on the two $ENV{'PATH'} lines it no longer works and
> reports an insecure $ENV{PATH}.
>
> I can't understand why I need to have the windows system32 folder
> included in my $ENV{PATH} for the prog to run.
>
> If in a DOS window I reset my OS environment var PATH to simply '.'
> (the CWD) the testapp.exe will run as normal in the DOS window, so why
> is resetting my $ENV{PATH} to the CWD different?
>
> Thanks
>
> ----
>
> #!c:/perl/bin/perl.exe -wT
>
> use strict;
> use diagnostics;
> use CGI;
> use CGI::Carp qw(fatalsToBrowser);
> use Cwd;
>
> my $dir = getcwd();
> my $q = new CGI;
>
> print $q->header,
> $q->start_html(-title => "External program"),
> $q->h2("External command test");
>
> #$ENV{'PATH'} = $dir;
> $ENV{'PATH'} = ("C:\\WINDOWS\\system32");
> delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
>
> my @prog1 = ("testapp.exe", "+R", "dummy.txt", "/S");
>
> my $exit_status1 = system(@prog1);
>
> print $q->p("My CWD is $dir"),
> $q->p("My 'PATH' is $ENV{'PATH'}"),
> $q->p("Exit status1: $exit_status1"),
> $q->end_html;
Read the docs on taint (and probably perlport) again. The issue isn't
what specific directory you have in your path, but how you get the
name of it.
Tainting can be complicated, but it boils down to this: when you have
the -T flag set, Perl treats almost all data that comes from outside
the script itself as tainted. In your case, getcwd() gets its result
by issuing an external system call, and the results of the system call
are tainted because they're passed in to Perl from the OS. In theory,
some malicious person could find a way to pass an illegitimate value
to Perl when it calls getcwd(). In order to use the value returned by
getcwd(), you need to untaint it before you use it set the value of an
item in %ENV, or do much else with it, for that matter.
When you set the path yourself, though, Perl sees the string as clean,
because it comes from within the script itself.
HTH,
-- jay
--------------------------------------------------
This email and attachment(s): [ ] blogable; [ x ] ask first; [ ]
private and confidential
daggerquill [at] gmail [dot] com
http://www.tuaw.com http://www.dpguru.com http://www.engatiki.org
values of β will give rise to dom!
