Stas,
Thanks for all your help. I think there is something different about my
server too. I have no idea what it might be, but it really does look
like there's something going on.
Here's where I am at regarding testing and trying to track down the
problem. (Aside from pulling my hair and thinking about a total
reinstall.<G>)
I run the script fine under "regular" cgi; no errors. (Thanks for that
tip, hadn't thought of it.)
With PerlTaintCheck disabled in httpsd.conf it runs and produces no
errors.
With "PerlTaintCheck On" in httpsd.conf it runs and produces the
following errors:
[Tue Jan 11 09:38:12 2000] [error] Uncaught exception from user code:
Can't upgrade that kind of scalar at
/usr/lib/perl5/site_perl/5.005/i386- linux/Apache/Registry.pm line
32.
Apache::Registry::handler('Apache=SCALAR(0x81a78c8)') called at
/dev/null line 0
eval {...} called at /dev/null line 0
(lines wrapped badly)
I can even run it from the command prompt (Thanks to the wonders of
CGI.pm?)
[root@melanie /root]# /home/httpd/perl/hello.pl
(offline mode: enter name=value pairs on standard input)
realname=john
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML><HEAD><TITLE>Hello</TITLE>
</HEAD><BODY BGCOLOR="white"><H1>Hello john</H1><P>To change your name,
enter it into the text field below and press <EM>change name
<FORM METHOD="POST" ENCTYPE="application/x-www-form-urlencoded">
Name: <INPUT TYPE="text" NAME="realname" VALUE="john"><INPUT
TYPE="submit" NAME=".submit" VALUE="Change
name"></FORM><HR></BODY></HTML>
For the record, my Registry.pm is V 2.01 and line 32 says:
my $filename = $r->filename;
I also noticed that "use strict;" was commented out for purposes of
"#eval'd scripts will inherit hints". Don't know what this means really,
I just mention it in case it has bearing.
Here is the script. (I know "die" produces a server error too.) Please
feel free to tell me I am an idiot and missing the obvious, just tell me
what the obvious is. I really can't begin to make sense of the error
message. What is "upgrading" a scalar?
#!/usr/bin/perl -wT
use CGI qw( :standard);
use diagnostics;
use strict;
use vars qw($realname);
$realname = param('realname') || 'Anonymous';
if ($realname =~ /^([-\@\w.]+)$/) { #untaint per perlsec
$realname = $1;
} else {
die "Bad data in $realname";
}
print header(),
start_html( -title => 'Hello', -bgcolor => 'white' ),
h1("Hello $realname"),
p(
"To change your name, enter it into the text field below and
press",
em( "change name." )
),
start_form(),
"Name: ",
textfield( -name => 'realname' , -value => 'Anonymous'
),
submit( -value => 'Change name' ),
end_form(),
hr(),
end_html();
I tried it without "use diagnostics;" in case that was doing some
tainting. A similar but less detailed error is written to the logs:
[Tue Jan 11 09:53:17 2000] [error] Can't upgrade that kind of scalar at
/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Registry.pm
I can't test this with httpsd -x (For the predicatably stupid reason
that I'm doing development on a "production" box.) The script seems to
be running once with no input, once with input and the second time it
runs with input I get the error. (I am guessing this based on the info I
see in "top" between each attempt.) I have tried really hard to
understand (and I think I get the basics) of the scoping that you talk
about in the guide. I don't see the problem there. There's only one
variable I create and I "use var qw($realname);" so that should be OK,
right?
One other thought, I run this under regular cgi with "#!/usr/bin/perl
-wT" (also under mod_perl). Shouldn't that warn of taint problems? (Even
if PerlTaintCheck is off?) And if so, then this isn't really a tainting
problem, so why does PerlTaintCheck effect operation of the script?
Any suggestions you have will be gladly examined.
Thanks again,
John
> -----Original Message-----
> From: Stas Bekman [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 11, 2000 2:33 AM
> To: John Walker
> Cc: '[EMAIL PROTECTED]'
> Subject: RE: Hey, that ain't tainted, is it?
>
>
> > That would be ALL of it wouldn't it? <G>
> >
> > Anyway, I'm still not sure how the hello world script
> violates the use
> > of tainted data... it just goes to STDOUT (browser).
>
> may be because you load some other module which is not
> taint-clean. Look
> at this in this way -- lots of people run more complicated code than a
> "hello world" and doesn't have a taint problem. So there is something
> different about your server. Try to remove any preload and
> other code that
> you don't need and start afresh with a hello world script,
> then move back
> the rest one by one until you find the offensive one. BTW,
> try testing it
> with mod_cgi too, don't forget to add -wT at the shebang line...
>
> > If I understand this correctly, I've got to run *all* my user input
> > through a regex and use the resultant $1, $2 parts as my data? What
> > about data from an SQL db via DBI, is that "pre-tainted"?
>
> Not really, there are also other things to do when perl
> complains about
> taint problems. Like setting $ENV{PATH} and more... the manpage talks
> about these *other* things.
>
> > Thanks, John.
> > PS The updated guide is very nice. (Maybe my problem is I
> shouldn't be
> > reading the guide, the panther book, the ram book, and the
> eagle book,
> > all at the same time. <G>)
>
> :)
>
> >
> > > -----Original Message-----
> > > From: Stas Bekman [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, January 10, 2000 4:34 PM
> > > To: John Walker
> > > Cc: '[EMAIL PROTECTED]'
> > > Subject: Re: Hey, that ain't tainted, is it?
> > >
> > >
> > >
> > > % perldoc perlsec
> > > -- is what you are looking for. it's all there...
> > [...]
> >
[...]
