[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] taint checks and CGI.pm

To: "mac-perl@iis.ee.ethz.ch" <mac-perl@iis.ee.ethz.ch>
Subject: Re: [MacPerl] taint checks and CGI.pm
From: "Paul J. Schinder" <schinder@leprss.gsfc.nasa.gov>
Date: Sun, 28 Dec 1997 09:32:00 -0500

--- begin quoted text

At 17.56 12/27/97, Chris Nandor wrote:
>At 16.20 12/27/97, Karsten Meier wrote:
>>BEGIN {
>>        unshift @INC, "$ENV{MACPERL}lib:MacPPC:","$ENV{MACPERL}lib:"
>>}
>
>
>>I needed to write
>>BEGIN {
>> unshift @INC, "work:MacPerl ź:lib:MacPPC:","work:MacPerl ź:lib:"
>>}
>>to get my script working.
>
>>I'm still wonder why "use CGI" was secure,
>>but the eval in autoload not.

OK, still not sure why the use() works with the first version, but this
version will work:

--
Chris Nandor               pudge@pobox.com           http://pudge.net/
%PGPKey=('B76E72AD',[1024,'0824 090B CE73 CA10  1FF7 7F13 8180 B6B6'])
#== MacPerl: Power and Ease ==#
#== Publishing Date: Early 1998. http://www.ptf.com/macperl/ ==#

--- end quoted text

I'm far away from my copy of the Camel, but I've been puzzled by this
paticular thread. Maybe I just haven't been following it closely enough.
First, it makes sense to me in a Unix security way that use works and
require doesn't. use is compile time, require run time. It makes sense
that nothing from the environment is trusted, since Joe User can set his
own environment. Without being able to do anything Perlish for the next
few days (I'm travelling with my wife, and she's hogging the Powerbook and
my mother's phone line), I'm willing to bet that when taint checking is
on, a Unix Perl will ignore PERL5LIB, and use will use only hard wired
"system" library paths. (At least that's the impression I got from
following a thread on p5p this week.)

And finally, why all the effort to get the system specific library folder
into @INC, when, as they use to say in the Ragu commercials (*), "It's in
there"? In the library paths box or in PERL5LIB, any mention of :MacPerl
:lib: gets automagically expanded to include the appropriate system
specific library (just as it does on Unix).

The interesting thing in this thread is that AutoLoad gets caught in taint
checking, but that makes sense if you've ever looked at AutoLoad.pm. It
goes to a lot of effort involving @INC (which at this point can probably
no longer be trusted) to find the *.al.

(*)Explanation of this particular piece of Americana available upon
request to those fortunate enough never to have seen the commercials,
although you probably don't want to know.. 

-------
Paul J. Schinder
NASA Goddard Space Flight Center
Code 693
Greenbelt, MD 20771
schinder@leprss.gsfc.nasa.gov

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

Prev by Date: Re: [MacPerl] network problems
Next by Date: Re: [MacPerl] taint checks and CGI.pm
Prev by thread: Re: [MacPerl] taint checks and CGI.pm
Next by thread: Re: [MacPerl] taint checks and CGI.pm
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net