Hello.
Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
I've noticed what seems to be a case of Taint mode being ignored with
respect to CGI params when running under mod_perl.
The following:
#!/usr/bin/perl -T
use strict;
use warnings;
$ENV{'PATH'} = "/bin:/usr/bin";
#delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
use CGI;
my $q = CGI->new;
my $foo = $q->param('foo');
open OF, "> /tmp/$foo";
print OF "blah blah blah";
close OF;
print "Content-type: text/html\n\n";
print "Taint: ${^TAINT}<br>";
print "done<br>";
Behaves normally when run without mod_perl, i.e. it tosses 500 errors
and screams bloody murder. However with the following setup: (only
relevant parts shown)
PerlTaintCheck On
PerlWarn On
<VirtualHost *:80>
Alias /cgi-bin/ /usr/lib/cgi-bin/
<Directory /usr/lib/cgi-bin>
Options +ExecCGI -Multiviews
SetHandler perl-script
PerlOptions +ParseHeaders
PerlResponseHandler ModPerl::Registry
</Directory>
</VirtualHost>
The cgi runs without error, opening files under /tmp based on CGI
parameter inputs. The taint mode flag shows that taint mode is enabled,
and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the
same with both PerlTaintCheck On and PerlSwitches -T.
What am I missing? I have production code that is apparently not as
protected as I would like.
Thanks in advance.
--
-Nik
