On Nov 26, 2007 4:45 PM, jalex <[EMAIL PROTECTED]> wrote:
>
>
> Scott Gifford wrote:
> >
> >
> > FYI, this test case works properly under my installation of Debian
> > mod_perl 1.29.0.2 under apache 1.3.34.
> >
> > Jalex, you might want to print out the value of your test variable and
> > make sure it is being received properly. I thought I saw the same
> > problem, until I realized that I hadn't set the log parameter to
> > anything, and undefined CGI parameters are not tainted.
> >
> > Is anybody else seeing this behavior under mod_perl 2? It would
> > indeed be a very serious bug.
> >
> > ----Scott.
> >
> >
>
> Yes, I did try printing it out. In fact, I tried calling eval() on it, and
> no exception was thrown! If I tried calling eval on an expression derived
> from an environment variable, then the taint exception does get thrown as
> expected. It's just the return values of CGI's param() method that seem to
> have somehow become untainted. If I run same test scripts under mod_cgi
> rather than mod_perl2, the taint exceptions get thrown exactly where I
> expect to see them.
I can reproduce this behavior with mod_perl 2.0.3, Perl 5.8.8 on
Solaris 9. Using ModPerl::RegistryPrefork at least. From my
httpd.conf:
PerlSwitches -T
<Location /cgi-bin/taint-test/>
SetHandler perl-script
PerlResponseHandler ModPerl::RegistryPrefork
PerlOptions +ParseHeaders
Options +ExecCGI
</Location>
shell>cd /usr/local/apache2/cgi-bin/taint-test
shell>cat taint.pl
#!/usr/bin/perl
use strict;
use warnings;
use CGI;
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
print "Content-type: text/plain\n\n";
my $q = new CGI;
my $junk = $q->param('log');
# eval($q->param('log'));
if (is_tainted($junk)){
print "Param tainted as expected\n";
} else {
print "Oops! Where's the taint?!?\n";
}
print "\n";
print "\$^TAINT=${^TAINT}", "\n";
sub is_tainted {
my $arg = shift;
my $nada = substr($arg, 0, 0);
local $@;
eval { eval "# $nada" };
return length($@) !=0;
}
Using the URL:
http://myserverhere/cgi-bin/taint-test/taint.pl?log=foo
Produces:
Oops! Where's the taint?!?
$^TAINT=1
Removing the <Location> directive and adding -T to the shebang line to
run under mod_cgi (same URL) produces:
Param tainted as expected
$^TAINT=1
--
Kevin.
