On Tue, Jul 15, 2003 at 04:30:35PM +0300, Stas Bekman wrote:
> Peter B. Ensch wrote:
>
> >>FWIW, I use the following code when I need to use ``|qx:
> >>
> >>local $ENV{PATH} = "/bin:/usr/bin";
> >>local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
> >
> >But this code must be used in each scope where you
Peter B. Ensch wrote:
FWIW, I use the following code when I need to use ``|qx:
local $ENV{PATH} = "/bin:/usr/bin";
local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
But this code must be used in each scope where you intend to use
backticks, a system call Etc. Is there no way to untaint your
PATH enviro
On Tue, Jul 15, 2003 at 12:19:14PM +0300, Stas Bekman wrote:
> Dominique Quatravaux wrote:
> >> Sorry, getting out of good ideas..
> >
> >
> > Surprise, surprise: I found out that my code does not work under
> >mod_perl 1.23 either! And I found the real solution: one has to add
> >
> > PerlSetup
Dominique Quatravaux wrote:
Sorry, getting out of good ideas..
Surprise, surprise: I found out that my code does not work under
mod_perl 1.23 either! And I found the real solution: one has to add
PerlSetupEnv Off
to the Apache configuration file. Now the untainting mumbo-jumbo in
section
> Sorry, getting out of good ideas..
Surprise, surprise: I found out that my code does not work under
mod_perl 1.23 either! And I found the real solution: one has to add
PerlSetupEnv Off
to the Apache configuration file. Now the untainting mumbo-jumbo in
section works.
Warning: this h
> Thanks for sharing your code; unfortunately, it's not working for me.
> I copied it into my httpd.conf file, stopped/started the server and
> I still get the same error:
Sorry, getting out of good ideas.. I'm not using mod_perl 1.99, this
probably explains why my code does not work, and also i
On Thu, Jul 10, 2003 at 10:25:59AM +0200, Dominique Quatravaux wrote:
> > I need some help with this. Can you share the code you use w/in
> > your section?
>
> Sure! Here is how I untaint a selected range of variables from the
> WWW server's %ENV, and discard all the others (good move to ease
>
> I need some help with this. Can you share the code you use w/in
> your section?
Sure! Here is how I untaint a selected range of variables from the
WWW server's %ENV, and discard all the others (good move to ease
debugging anyway):
# From httpd.conf
PerlTaintCheck On
BEGIN
On Wed, Jul 09, 2003 at 05:40:32PM +0200, Dominique Quatravaux wrote:
> > In plain CGI, I normally do this inside a BEGIN
> > block; in mod_perl however, this doesn't work.
>
> This would work if this was done in a section of the httpd.conf
> file (this is what I do). I am not sure why the BEGIN
> In plain CGI, I normally do this inside a BEGIN
> block; in mod_perl however, this doesn't work.
This would work if this was done in a section of the httpd.conf
file (this is what I do). I am not sure why the BEGIN block is not
executed, but my guess is that the environment gets automatically
perlsec says that to untaint the PATH env one should
do:
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
In plain CGI, I normally do this inside a BEGIN
block; in mod_perl however, this doesn't work. A
print of $ENV{PATH} returns the original tainted
PATH.
I
11 matches
Mail list logo
