On Thu, Jul 10, 2003 at 10:25:59AM +0200, Dominique Quatravaux wrote: > > I need some help with this. Can you share the code you use w/in > > your <Perl> section? > > Sure! Here is how I untaint a selected range of variables from the > WWW server's %ENV, and discard all the others (good move to ease > debugging anyway): > > # From httpd.conf > PerlTaintCheck On > > <perl> > BEGIN { > # Untaint environment. Those variables come from > # Apache; even if they didn't, they would come from the root > # user who launched Apache. No security problems here. > > my %cleanenv; > foreach my $var (qw(PATH GATEWAY_INTERFACE MOD_PERL)) { > ($cleanenv{$var})=($ENV{$var} =~ m/^(.*)$/g); > } > %ENV=%cleanenv; > } > </perl> > > > I'm pretty confused because I was able to untaint my PATH var. > > by putting > > > > $ENV{PATH} = '/bin'; > > > > in the ***same scope*** where I was getting the error. > > Makes sense to me: if you are using Apache::Registry (for example), > your script only gets compiled once and the BEGIN blocks run at that > time. In fact Apache::Registry reads your cgi, then cooks it into > something like this: > > package Some::Name::Made::Up::By::Apache::Registry::To::Isolate::Your::cgi; > > sub handler { > # Your script here > } > > Then it evals that (by that time, the BEGIN blocks run), then calls > Some::Name::...::handler(). The purpose of these steps is caching: the > next time the CGI is hit, the evalling needs not be redone, only the > handler call. > > Now, my guess was that %ENV gets reset between the eval and the > handler call. As you mention, putting the untainter in the same scope > solves the problem, because you now circumvent the cleaning. Putting > it in the <perl> section should also solve the problem once for all, > because the <perl> section runs before the default %ENV value is > stashed (even before Apache forks, in fact). >
Dominique, Thanks for sharing your code; unfortunately, it's not working for me. I copied it into my httpd.conf file, stopped/started the server and I still get the same error: [Thu Jul 10 11:10:38 2003] [error] 19156: ModPerl::Registry: Error executing run mode 'getlib': \ Insecure $ENV{PATH} while running setgid at /opt/asic/http/2.0.46/worker/perl-lib/Webace/Art.pm line 386 where line #386 is: foreach my $release (`/bin/ls $path`) { # $path is already untainted <do stuff> } Any other ideas? Thanks and regards, P -- ^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ Peter Ensch, [EMAIL PROTECTED] A-1140 (214) 480 2333 ^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^