[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] taint checks and CGI.pm



At 17.56 12/27/97, Chris Nandor wrote:
>At 16.20 12/27/97, Karsten Meier wrote:
>>BEGIN {
>>        unshift @INC, "$ENV{MACPERL}lib:MacPPC:","$ENV{MACPERL}lib:"
>>}
>
>
>>I needed to write
>>BEGIN {
>>        unshift @INC, "work:MacPerl Ä:lib:MacPPC:","work:MacPerl Ä:lib:"
>>}
>>to get my script working.
>
>>I'm still wonder why "use CGI" was secure,
>>but the eval in autoload not.

OK, still not sure why the use() works with the first version, but this
version will work:


BEGIN {
  $ENV{MACPERL} =~ /^(.+)$/;
  my $f = $1;
  unshift @INC, "${f}lib:MacPPC:","${f}lib:";
}

Substitute "MacCFM68K" for "MacPPC" if that is your architecture.  If you
use BigMacPerl, you can substitute "Mac68K", though that folder does not
exist so it should not matter.  :)

In MacPerl 5.1.6 (coming soon :), this will be the fully portable way of
doing it:

BEGIN {
  $ENV{MACPERL} =~ /^(.+)$/;
  my $f = $1;
  unshift @INC, "${f}lib:${MacPerl::Architecture}:","${f}lib:";
}



NOTE: what this does is untaint the environment variable MACPERL.  This
should not be a problem, but as always, tainting is only as secure as your
machine is.  If bad people have direct access to your machine, then the CGI
itself cannot be trusted, let alone any module that it uses.

That is kinda the point of all this; it would be a Bad Thing to do on a
Unix box, where someone can mess up your paths and environment variables,
so that is why they are tainted.  We bypass the tainting with this, knowing
that if someone can edit CGI.pm to do bad things, they can also edit the
CGI to do bad things, or the MacPerl app itself.

What we are really concerned with in this case is the CGI data doing bad
things, and this method protects us from that (if you use the special taint
check CGI Script extension on my web page).

--
Chris Nandor               pudge@pobox.com           http://pudge.net/
%PGPKey=('B76E72AD',[1024,'0824 090B CE73 CA10  1FF7 7F13 8180 B6B6'])
#==                    MacPerl: Power and Ease                     ==#
#==    Publishing Date: Early 1998. http://www.ptf.com/macperl/    ==#



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch