Cgi on IIS
I hope someone can help me out.
I set up this cgi file and html form on a Unix server. The script
changes a user's password in a text file.
This works correctly on a Unix Server. However, I need to move these
files to an IIS server.
In testing on the IIS server, I get an HTTP Error 405- Method not
allowed when the form is submitted.
I did some research, but was unable to determine how to correct the
error.
If anyone could help me out, I'd really appreciate it.
Thanks, Maureen
#!/usr/bin/perl
require "cgi-lib.pl";
#process incoming form data
&ReadParse;
#set content type
print &PrintHeader;
#initialize variables
$pwfile =
"/data1/hypermart.net/worldwidewebstrategies/datafile/pwdata.txt";
$tmpfile =
"/data1/hypermart.net/worldwidewebstrategies/datafile/pwdata.tmp";
$lokfile =
"/data1/hypermart.net/worldwidewebstrategies/datafile/pwlock.fil";
#Print initial tags for web page
print "\n";
#check for existence of password file
unless (-e $pwfile)
{
#password file doesn't exist!
#print message & shut down
print <<"PrintTag";
Sorry!
$pwfile has't been uploaded to the
proper directory. Please contact the webmaster.
PrintTag
exit(0);
}
#check for blank form fields
if ($in{'oldname'}eq"" || $in{'oldpw'}eq"")
{
#re-create form and shut down program
print <<"PrintTag";
ERROR: Please type your current username and
password in the spaces provided.
http://server37.hypermart.net/worldwidewebstrategies/cgi-bin/changepw.cgi";
METHOD="post">
Your current username:
Your current password:
Your new password:
Type your new password again:
PrintTag
if ($in{'delete'} eq "yes")
{
print "\n";
}
else
{
print "\n";
}
print <<"PrintTag";
PrintTag
exit(0);
}
#make sure new passwords match
if ($in{'newpw1'} ne $in{'newpw2'})
{
#re-create form and shut down program
print <<"PrintTag";
ERROR: Your new passwords didn't match.
You must type your new password exactly the same way twice.
Please try again.
http://server37.hypermart.net/worldwidewebstrategies/cgi-bin/changepw.cgi";
METHOD="post">
Your current username:
Your current password:
Your new password:
Type your new password again:
PrintTag
exit(0);
}
#check for existence of lock file
if (-e $lokfile)
{
#lock file exists! print message & shut down
print <<"PrintTag";
Try again!
The database is in use. Please try again later.
PrintTag
exit(0);
}
#everything is okay. Create lock file.
open(LOCK_FILE, ">$lokfile") ||
die "Couldn't create $lokfile\n";
#open password file in read-only mode
open(FILE,"$pwfile") ||
die "Can't find $pwfile.\n";
#store database contents in an array and close file
@indata = ;
close(FILE);
#open temp file in overwrite mode
open(TEMP,">$tmpfile") ||
die "Can't create $tmpfile.\n";
#copy password file contents to temp file
#use a foreach loop to process each record in the array
foreach $i (@indata)
{
#remove hard return character from each record
chomp($i);
#split fields on pipe character
#assign a variable name to each of the fields
($username,$password) = split(/\|/,$i);
if ($username eq $in{'oldname'} &&
$password eq $in{'oldpw'} &&
$in{'delete'} ne "yes")
{
print TEMP "$in{'oldname'}|$in{'newpw1'}\n";
print " Success!Your password has been changed.\n";
}
elsif ($username eq $in{'oldname'} &&
$in{'delete'} eq "yes")
{
print "Your password has been deleted.\n";
}
else
{
print TEMP "$i\n";
}
}
#close temp file
close(TEMP);
#change file names
rename($pwfile, $pwfile.".old");
rename($tmpfile, $pwfile);
#close and delete lock file
close(LOCK_FILE);
unlink($lokfile);
#close web page
print "Thank you! \n";
print "\n";
#end of script
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
PERL CGI on IIS
I've written a PERL cgi script that I'd like to use to reset a user's
password within Microsoft's Active Directory. The script runs well from the
command line of the web server and from any other windows box (with PERL
installed). However, when it is executed from IIS, the security of IIS
prevents it from completing one of the methods of the Win32::OLE module so
the script fails. Posing this question to general IIS/Windows support groups
returns the result of "Ask the PERL folks". I'm hoping someone within this
forum can help (though I believe the problem to be IIS security related,
maybe someone here has experienced this themselves).
My script:
use strict;
use CGI ':standard';
use Win32::OLE;
use URI;
# snip -retrieve values from form, etc
###--Create LDAP Connection to Active Directory
my $adsinamespaces = CreateObject Win32::OLE 'ADsNameSpaces'||print qq(Nope,
step 1);
my $ldapnamespace= $adsinamespaces->getobject("","LDAP:")||print qq(nope,
step2);
my
$userdsobject=$ldapnamespace->OpenDSObject("LDAP://winad1.wsc.western.edu/OU
=Users,dc=wsc,dc=western,dc=edu","cn=$user,ou=$ou,OU=Users,dc=wsc,dc=western
,dc=edu",$old_password,1)||print qq(nope, step 3);
###--Bind to specific user account
my $ADsPath="LDAP://CN=$user,OU=$ou,OU=Users,DC=WSC,DC=western,DC=edu";||
print qq (nope, step 4);
##the next line always fails via CGI
my $u = Win32::OLE->GetObject($ADsPath)||print qq(nope, get object failed);
$u->SetPassword($new_password);
$u->SetInfo();
The script always fails on the GetObject method line when it is executed via
CGI. What is that command doing that IIS doesn't appreciate?
Any suggestions?
Thanks,
Mike
Re: Cgi on IIS
Hello Maureen,
The only time I've seen the HTTP Error 405- when submitting a form is
when I've inadvertently used action="post" instead of action="POST"
which I see you've done in your script.
I must have banged my head on that for over an hour before I figured
it out. Hope this helps.
--
Best regards,
K.L. Hayes
mailto:[EMAIL PROTECTED]
Wednesday, January 16, 2002, 1:18:39 PM, you wrote:
m> I hope someone can help me out.
m> I set up this cgi file and html form on a Unix server. The script
m> changes a user's password in a text file.
m> This works correctly on a Unix Server. However, I need to move these
m> files to an IIS server.
m> In testing on the IIS server, I get an HTTP Error 405- Method not
m> allowed when the form is submitted.
m> I did some research, but was unable to determine how to correct the
m> error.
m> If anyone could help me out, I'd really appreciate it.
m> Thanks, Maureen
m> #!/usr/bin/perl
m> require "cgi-lib.pl";
m> #process incoming form data
m> &ReadParse;
m> #set content type
m> print &PrintHeader;
m> #initialize variables
m> $pwfile =
m> "/data1/hypermart.net/worldwidewebstrategies/datafile/pwdata.txt";
m> $tmpfile =
m> "/data1/hypermart.net/worldwidewebstrategies/datafile/pwdata.tmp";
m> $lokfile =
m> "/data1/hypermart.net/worldwidewebstrategies/datafile/pwlock.fil";
m> #Print initial tags for web page
m> print "\n";
m> #check for existence of password file
m> unless (-e $pwfile)
m> {
m> #password file doesn't exist!
m> #print message & shut down
m> print <<"PrintTag";
m> Sorry!
m> $pwfile has't been uploaded to the
m> proper directory. Please contact the webmaster.
m>
m>
m> PrintTag
m> exit(0);
m> }
m> #check for blank form fields
m> if ($in{'oldname'}eq"" || $in{'oldpw'}eq"")
m> {
m> #re-create form and shut down program
m> print <<"PrintTag";
m> ERROR: Please type your current username and
m> password in the spaces provided.
m> ACTION="http://server37.hypermart.net/worldwidewebstrategies/cgi-bin/changepw.cgi";
METHOD="post">>
m> Your current username:
m>
m> Your current password:
m>
m> Your new password:
m>
m> Type your new password again:
m>
m>
m> PrintTag
m> if ($in{'delete'} eq "yes")
m> {
m> print " NAME=\"delete\" VALUE=\"yes\" CHECKED>\n";
m> }
m> else
m> {
m> print "\n";
m> }
m> print <<"PrintTag";
m>
m>
m>
m>
m>
m> PrintTag
m> exit(0);
m> }
m> #make sure new passwords match
m> if ($in{'newpw1'} ne $in{'newpw2'})
m> {
m> #re-create form and shut down program
m> print <<"PrintTag";
m> ERROR: Your new passwords didn't match.
m> You must type your new password exactly the same way twice.
m> Please try again.
m> ACTION="http://server37.hypermart.net/worldwidewebstrategies/cgi-bin/changepw.cgi";
METHOD="post">>
m> Your current username:
m>
m> Your current password:
m>
m> Your new password:
m>
m> Type your new password again:
m>
m>
m>
m>
m>
m> PrintTag
m> exit(0);
m> }
m> #check for existence of lock file
m> if (-e $lokfile)
m> {
m> #lock file exists! print message & shut down
m> print <<"PrintTag";
m> Try again!
m> The database is in use. Please try again later.
m>
m>
m> PrintTag
m> exit(0);
m> }
m> #everything is okay. Create lock file.
open(LOCK_FILE, ">>$lokfile") ||
m> die "Couldn't create $lokfile\n";
m> #open password file in read-only mode
m> open(FILE,"$pwfile") ||
m> die "Can't find $pwfile.\n";
m> #store database contents in an array and close file
m> @indata = ;
m> close(FILE);
m> #open temp file in overwrite mode
open(TEMP,">>$tmpfile") ||
m> die "Can't create $tmpfile.\n";
m> #copy password file contents to temp file
m> #use a foreach loop to process each record in the array
m> foreach $i (@indata)
m> {
m> #remove hard return character from each record
m> chomp($i);
m> #split fields on pipe character
m> #assign a variable name to each of the fields
m> ($username,$password) = split(/\|/,$i);
m> if ($username eq $in{'oldname'} &&
m> $password eq $in{'oldpw'} &&
m> $in{'delete'} ne "yes")
m> {
m> print TEMP "$in{'oldname'}|$in{'newpw1'}\n";
m> print " Success!Your password has been changed.\n";
m> }
m> elsif ($username eq $in{'oldname'} &&
m> $in{'delete'} eq "yes")
m> {
m> print "Your password has been deleted.\n";
m> }
m> else
m> {
m> print TEMP "$i\n";
m> }
m> }
m> #close temp file
m> close(TEMP);
m> #change file names
m> rename($pwfile, $pwfile.".old");
m> rename($tmpfile, $pwfile);
m> #close and delete lock file
m> close(LOCK_FILE);
m> unlink($lokfile);
m> #close web page
m> print "Thank you! \n";
m> print "\n";
m> #end of script
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Cgi on IIS
Maybe the file name has a .cgi extension? .cgi is not set for exeeute by
default. Try renaming it .pl assuming you installed ActivePerl. Or in
Internet Services Manager right click the scripts folder, and take a look at
the instructions in the attached mail of few days ago. I'm figuring that'll
probably do it.
Note that last time I installed ActivePerl it set .pl to perl "%s" %s as I
recall, but the extra double quotes may not matter, or maybe would apply if
your path/to/script had a space in it.
/g
> -Original Message-
> From: maureen [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 16, 2002 1:19 PM
> To: Beginners CGI List; [EMAIL PROTECTED]
> Subject: Cgi on IIS
>
>
>
> I hope someone can help me out.
>
> I set up this cgi file and html form on a Unix server. The script
> changes a user's password in a text file.
>
> This works correctly on a Unix Server. However, I need to move these
> files to an IIS server.
> In testing on the IIS server, I get an HTTP Error 405- Method not
> allowed when the form is submitted.
>
> I did some research, but was unable to determine how to correct the
> error.
>
> If anyone could help me out, I'd really appreciate it.
>
> Thanks, Maureen
>
> #!/usr/bin/perl
> require "cgi-lib.pl";
> #process incoming form data
> &ReadParse;
> #set content type
> print &PrintHeader;
> #initialize variables
> $pwfile =
> "/data1/hypermart.net/worldwidewebstrategies/datafile/pwdata.txt";
> $tmpfile =
> "/data1/hypermart.net/worldwidewebstrategies/datafile/pwdata.tmp";
> $lokfile =
> "/data1/hypermart.net/worldwidewebstrategies/datafile/pwlock.fil";
> #Print initial tags for web page
> print "\n";
> #check for existence of password file
> unless (-e $pwfile)
> {
> #password file doesn't exist!
> #print message & shut down
> print <<"PrintTag";
> Sorry!
> $pwfile has't been uploaded to the
> proper directory. Please contact the webmaster.
>
>
> PrintTag
> exit(0);
> }
> #check for blank form fields
> if ($in{'oldname'}eq"" || $in{'oldpw'}eq"")
> {
> #re-create form and shut down program
> print <<"PrintTag";
> ERROR: Please type your current username and
> password in the spaces provided.
> ACTION="http://server37.hypermart.net/worldwidewebstrategies/cgi-bin/
> changepw.cgi"
> METHOD="post">
> Your current username:
>
> Your current password:
>
> Your new password:
>
> Type your new password again:
>
>
> PrintTag
> if ($in{'delete'} eq "yes")
> {
> print " NAME=\"delete\" VALUE=\"yes\" CHECKED>\n";
> }
> else
> {
> print "\n";
> }
> print <<"PrintTag";
>
>
>
>
>
> PrintTag
> exit(0);
> }
> #make sure new passwords match
> if ($in{'newpw1'} ne $in{'newpw2'})
> {
> #re-create form and shut down program
> print <<"PrintTag";
> ERROR: Your new passwords didn't match.
> You must type your new password exactly the same way twice.
> Please try again.
> ACTION="http://server37.hypermart.net/worldwidewebstrategies/cgi-bin/
> changepw.cgi"
> METHOD="post">
> Your current username:
>
> Your current password:
>
> Your new password:
>
> Type your new password again:
>
>
>
>
>
> PrintTag
> exit(0);
> }
> #check for existence of lock file
> if (-e $lokfile)
> {
> #lock file exists! print message & shut down
> print <<"PrintTag";
> Try again!
> The database is in use. Please try again later.
>
>
> PrintTag
> exit(0);
> }
> #everything is okay. Create lock file.
> open(LOCK_FILE, ">$lokfile") ||
> die "Couldn't create $lokfile\n";
> #open password file in read-only mode
> open(FILE,"$pwfile") ||
> die "Can't find $pwfile.\n";
> #store database contents in an array and close file
> @indata = ;
> close(FILE);
> #open temp file in overwrite mode
> open(TEMP,">$tmpfile") ||
> die "Can't create $tmpfile.\n";
> #copy password file contents to temp file
> #use a foreach loop to process each record in the array
> foreach $i (@indata)
> {
> #remove hard return character from each record
> chomp($i);
> #split fields on pipe character
> #assign a variable name to each of the fields
> ($username,$password) = split(/\|/,$i);
> if ($username eq $in{'oldname'} &&
> $password e
CGI on IIS <- bad idea?
Thanks! can you explain what does the taint option do? I usually just use #!/script/perl.exe Thanks for your help! eric On Tue, 14 Aug 2001, Curtis Poe wrote: > --- Eric Wang <[EMAIL PROTECTED]> wrote: > > Can you run CGI on IIS? > > sorry, I always thought you either need apache or httpd for unix/linux but > > if IIS can run CGI,it'll be great! > > > > eric > > Eric, > > You can run CGI on IIS, but if you run ActiveState Perl, it will set up IIS to run >your CGI > scripts through ISAPI (Internet Server Application Programming Interface) instead of >as straight > CGI. ISAPI runs your Perl scripts through the perlis.dll which which has the >advantage of being > persistent in memory, thus giving you faster response time, but has the disadvantage >of not being > able to pass certain switches to Perl. In particular, you can't pass the -T switch >and activate > taint checking. This is a significant security problem. You can read more about >this at > http://www.perlmonks.org/index.pl?node_id=82619. > > Cheers, > Curtis Poe > > = > Senior Programmer > Onsite! Technology (http://www.onsitetech.com/) > "Ovid" on http://www.perlmonks.org/ > > __ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI on IIS <- bad idea?
--- Eric Wang <[EMAIL PROTECTED]> wrote: > Thanks! can you explain what does the taint option do? > I usually just use #!/script/perl.exe > > Thanks for your help! > eric Eric, If you enable taint checking, any data coming into your program from outside of the program is considered "tainted". Perl tries to ensure that tainted data is not used to affect anything outside of the program and will kill the program rather than allow Bad Things to happen. This script will die if you try to run it: #!/usr/bin/perl -wT use strict; my $file = ; chomp $file; open "> $file" or die "Can't open $file for writing: $!"; Note that the "or die" is not what's killing the script. Trying to use a tainted variable ($file) to open a file for writing is what kills the script, assuming taint mode is enabled. Trying to read from the file is considered safe, however: open "< $file" or die "Can't open $file for writing: $!"; Unfortunately, this causes problems in many programs where someone enters something like "/etc/passwd" in a CGI script and potentially gains access to info that they shouldn't (of course, that ignores that the system should be using shadow passwords, but this is just an example). On Unix-like systems, you can also append a pipe to the filename and that will cause an attempt to execute the file instead of opening it. That's why we have taint checking: it forces us to examine these variables and make sure that the data is safe. To learn more about taint checking and how to "untaint" a variable, open a command prompt and type "perldoc perlsec". This will also explain exactly what Perl considers tainted. You can also read Lesson Three of my online CGI course and gain a *basic* understanding of CGI security: http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: CGI on IIS <- bad idea?
Taint won't run on Win32 anyway. -Original Message- From: "Curtis Poe"<[EMAIL PROTECTED]> To: "CGI Beginners"<[EMAIL PROTECTED]> Date: Tue Aug 14 15:02:40 PDT 2001 Subject: Re: CGI on IIS <- bad idea? >--- Eric Wang <[EMAIL PROTECTED]> wrote: >> Thanks! can you explain what does the taint option do? >> I usually just use #!/script/perl.exe >> >> Thanks for your help! >> eric > >Eric, > >If you enable taint checking, any data coming into your program from outside of the >program is >considered "tainted". Perl tries to ensure that tainted data is not used to affect >anything >outside of the program and will kill the program rather than allow Bad Things to >happen. This >script will die if you try to run it: > >#!/usr/bin/perl -wT >use strict; > >my $file = ; >chomp $file; > >open "> $file" or die "Can't open $file for writing: $!"; > >Note that the "or die" is not what's killing the script. Trying to use a tainted >variable ($file) >to open a file for writing is what kills the script, assuming taint mode is enabled. >Trying to >read from the file is considered safe, however: > >open "< $file" or die "Can't open $file for writing: $!"; > >Unfortunately, this causes problems in many programs where someone enters something >like >"/etc/passwd" in a CGI script and potentially gains access to info that they >shouldn't (of course, >that ignores that the system should be using shadow passwords, but this is just an >example). On >Unix-like systems, you can also append a pipe to the filename and that will cause an >attempt to >execute the file instead of opening it. That's why we have taint checking: it >forces us to >examine these variables and make sure that the data is safe. > >To learn more about taint checking and how to "untaint" a variable, open a command >prompt and type >"perldoc perlsec". This will also explain exactly what Perl considers tainted. > >You can also read Lesson Three of my online CGI course and gain a *basic* >understanding of CGI >security: > >http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html > >Cheers, >Curtis Poe > >= >Senior Programmer >Onsite! Technology (http://www.onsitetech.com/) >"Ovid" on http://www.perlmonks.org/ > >__ >Do You Yahoo!? >Make international calls for as low as $.04/minute with Yahoo! Messenger >http://phonecard.yahoo.com/ > >-- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > /~_. _ | _ _ _ _ \_/|(_||| | |(_)| | _| ___ GO.com Mail Get Your Free, Private E-mail at http://mail.go.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: CGI on IIS <- bad idea?
--- Mark Bergeron <[EMAIL PROTECTED]> wrote: > Taint won't run on Win32 anyway. Mark, This is actually a common misconception. Taint checking works just fine on Win32 using ActiveState Perl. Try the following from the command line: perl -Te "$x=shift;open TEST, qq/>$x/" test.txt You will get the following error message: Insecure dependency in open while running with -T switch at -e line 1. Taint checking is problematic on Win32 systems *usually* because of the way the programs are run. If you type "perl somescript.pl" and you have the -T switch on the shebang line, you will get the "Too late for "-T" option at somescript.pl line 1." error. The easiest way to get around this is to explicitly pass the -T switch to the perl interpreter: perl -T somescript.pl If this doesn't work for you, what version of Perl are you using? Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: CGI on IIS <- bad idea?
So I can actually use a CGI to carry out the perl script in the front end and put the -T inside the cgi right? and the users cannot see which perl script was executed because it's on the server site. Is that right? eric On Wed, 15 Aug 2001, Curtis Poe wrote: > --- Mark Bergeron <[EMAIL PROTECTED]> wrote: > > Taint won't run on Win32 anyway. > > Mark, > > This is actually a common misconception. Taint checking works just fine on Win32 >using > ActiveState Perl. Try the following from the command line: > > perl -Te "$x=shift;open TEST, qq/>$x/" test.txt > > You will get the following error message: > > Insecure dependency in open while running with -T switch at -e line 1. > > Taint checking is problematic on Win32 systems *usually* because of the way the >programs are run. > If you type "perl somescript.pl" and you have the -T switch on the shebang line, you >will get the > "Too late for "-T" option at somescript.pl line 1." error. The easiest way to get >around this is > to explicitly pass the -T switch to the perl interpreter: > > perl -T somescript.pl > > If this doesn't work for you, what version of Perl are you using? > > Cheers, > Curtis Poe > > = > Senior Programmer > Onsite! Technology (http://www.onsitetech.com/) > "Ovid" on http://www.perlmonks.org/ > > __ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: CGI on IIS <- bad idea?
--- Eric Wang <[EMAIL PROTECTED]> wrote: > > So I can actually use a CGI to carry out the perl script in the front end > and put the -T inside the cgi right? and the users cannot see which perl > script was executed because it's on the server site. > Is that right? > > eric Eric, You'll have to go into IIS and see what cgi script extension is associated with (i.e., what opens it). If it's associated with PerlIS.dll, you will have faster performance, but cannot use taint checking. Generally, taint checking on Windows with IIS is difficult with CGI scripts because IIS does not recognize the shebang line (except for the switches). It relies on the program associated with a particular extension. Since this program is executed *before* the script is read in, you get a "Too late for -T" error if you try to use taint checking. If you can live with slightly slower performance on IIS (kind of a given, huh? :), you can do the following on IIS 5. Open up the Internet Information Services console and right-click on the Web site you want to adjust and select "properties". On the properties window, click on Home Directory and if Execute Permissions has 'scripts' in the drop down, click the "Configuration". On the configuration window, select the extension that you want to change and click "Edit". In the following window, in the "Executable" window, enter "D:\Perl\bin\Perl.exe -T %s %s" (without the quotes and make sure that you have the correct path to Perl.exe). Please note that *all* of your CGI programs with the chosen extension will then have taint checking enabled. This is not a backwards-compatible fix. You may need to add a new extension and migrate your scripts over. Depending upon how your system is set up, those instructions may change slightly. You'll need to talk to your boxes administrator to get things to work. Since going with straight CGI instead of ISAPI is a performance killer and my personal research has revealed NO suitable alternatives when using IIS, you may wish to consider mod_perl with Apache for Win32. You can find more information about mod_perl with ActivePerl at http://www.mail-archive.com/modperl%40apache.org/msg11515.html. However, I think this may still be a beta product at best. If you need performance *and* security, Windows is not your best option (though that's what we use where I work). Good luck! Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: CGI on IIS <- bad idea?
This could be. When running under #!/usr/bin/perl -wT Too late for -T I'm running 626 on Win2K Pro IIS -Original Message- From: "Curtis Poe"<[EMAIL PROTECTED]> To: "CGI Beginners"<[EMAIL PROTECTED]> Date: Wed Aug 15 09:50:54 PDT 2001 Subject: Re: CGI on IIS <- bad idea? >--- Mark Bergeron <[EMAIL PROTECTED]> wrote: >> Taint won't run on Win32 anyway. > >Mark, > >This is actually a common misconception. Taint checking works just fine on Win32 >using >ActiveState Perl. Try the following from the command line: > >perl -Te "$x=shift;open TEST, qq/>$x/" test.txt > >You will get the following error message: > >Insecure dependency in open while running with -T switch at -e line 1. > >Taint checking is problematic on Win32 systems *usually* because of the way the >programs are run. >If you type "perl somescript.pl" and you have the -T switch on the shebang line, you >will get the >"Too late for "-T" option at somescript.pl line 1." error. The easiest way to get >around this is >to explicitly pass the -T switch to the perl interpreter: > >perl -T somescript.pl > >If this doesn't work for you, what version of Perl are you using? > >Cheers, >Curtis Poe > >= >Senior Programmer >Onsite! Technology (http://www.onsitetech.com/) >"Ovid" on http://www.perlmonks.org/ > >__ >Do You Yahoo!? >Make international calls for as low as $.04/minute with Yahoo! Messenger >http://phonecard.yahoo.com/ > >-- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > /~_. _ | _ _ _ _ \_/|(_||| | |(_)| | _| ___ GO.com Mail Get Your Free, Private E-mail at http://mail.go.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: CGI on IIS <- bad idea?
--- Mark Bergeron <[EMAIL PROTECTED]> wrote: > This could be. When running under > > #!/usr/bin/perl -wT > > Too late for -T > > I'm running 626 on Win2K Pro IIS Mark, If you see my reply to Eric Wang in this thread, I describe how to get around this problem. Basically, what's going on is that IIS does not recognize the shebang line (except for the switches). Instead of launching the program there (which it wouldn't find anyway unless you somehow have a /usr/bin/perl on a Win2K box), it checks the Perl programs extension and launches the program associated with it and *then* feeds the program with the switches. Perl needs to be started with the -T switch passed directly. I explain how to do that in my previous post, though it will kill your performance. As a side note, I contacted ActiveState about their ISAPI dll and they informed me that they were considering supporting taint checking in future versions. Given what I consider a lax attention to security in the past, I am not hopeful that this will actually come to pass. Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
