I'm running mod_perl 2.0.2 under apache 2.0.54. After adding "PerlSwitches
-wT" to my apache config, I wanted to test that I had taint mode was indeed
working, so I wrote a test script that purposely misused a CGI parameter,
expecting the taint exception to be thrown. I was surprised to find it was
not, so I wrote this small test case:
#!/usr/bin/perl -T
use strict;
use warnings;
use CGI;
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
print "Content-type: text/plain\n\n";
my $q = new CGI;
my $junk = $q->param('log');
# eval($q->param('log'));
if (is_tainted($junk)){
print "Param tainted as expected\n";
} else {
print "Oops! Where's the taint?!?\n";
}
print "\n";
print "\$^TAINT=${^TAINT}", "\n";
sub is_tainted {
my $arg = shift;
my $nada = substr($arg, 0, 0);
local $@;
eval { eval "# $nada" };
return length($@) !=0;
}
This prints:
Oops! Where's the taint?!?
$^TAINT=1
under mod_perl2. Indeed, if I go ahead and eval $junk, as long as its valid
perl, mod_perl2 gamely evaluates it. If I instead test, for example,
environment variables, the taint exception does get thrown. Under mod_cgi,
the same script prints "Param tainted as expected". Is there a subtlety that
I'm missing here, or have I uncovered a pretty serious bug?
--
View this message in context:
http://www.nabble.com/CGI-%3Eparams%28%29-should-be-tainted%2C-right--tf4858333.html#a13902824
Sent from the mod_perl - General mailing list archive at Nabble.com.
