[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] taint checks and CGI.pm

To: "mac-perl@iis.ee.ethz.ch" <mac-perl@iis.ee.ethz.ch>
Subject: Re: [MacPerl] taint checks and CGI.pm
From: "Paul J. Schinder" <schinder@leprss.gsfc.nasa.gov>
Date: Mon, 29 Dec 1997 00:15:00 -0500
Cc: Chris Nandor <pudge@pobox.com>

--- begin quoted text

At 09.32 12/28/97, Paul J. Schinder wrote:
>First, it makes sense to me in a Unix security way that use works and
>require doesn't. use is compile time, require run time. It makes sense
>that nothing from the environment is trusted, since Joe User can set his
>own environment.

Right.  Are you saying MacPerl need not be this way?  Perhaps so, but that
requires a change to the MacPerl code rather than a simple Perl solution,
if possible.  Maybe at some point we can determine the best way to approach
this specifically for MacPerl, but for now, this seems to do the job.
--- end quoted text

No, since MacPerl allows its environment Io be set by AppleEvents, it has
to be that way. It just seemed to me that people were suprised by this,
while its obvious why it's this way in Unix Perl . If MacPerl's
environment couldn't be set from outside, then it might make some sense
not to taint the environment.

--- begin quoted text
>And finally, why all the effort to get the system specific library folder
>into @INC, when, as they use to say in the Ragu commercials (*), "It's in
>there"? In the library paths box or in PERL5LIB, any mention of :MacPerl
>:lib: gets automagically expanded to include the appropriate system
>specific library (just as it does on Unix).

I am not sure I follow ... in Unix perl, the path to the main libraries is
hardcoded into the binary.  This is not the case with MacPerl.  I don't
know if that answers the question.

--
Chris Nandor               pudge@pobox.com           http://pudge.net/
%PGPKey=('B76E72AD',[1024,'0824 090B CE73 CA10  1FF7 7F13 8180 B6B6'])
#== MacPerl: Power and Ease ==#
#== Publishing Date: Early 1998. http://www.ptf.com/macperl/ ==#
---        end quoted text

Try setting PERL5LIB on a Unix box or in your MacPerl environment editor
and then print out @INC. On my Sun, for example, /usr/local/lib/perl5 gets
magically expanded to include not only that directory but the architecture
specific directories as well. Similarly, on my Performa, "The Black Pits:
Applications: MacPeri :lib:" puts not only that folder into @INC but
:lib:MacPPC: as well. So there's no need to go to an. extra effort to get
the architecture specific library folder into @INC, because it happens
automatically The only place I've noticed this doesn't happen is when @INC
is set in the script itself. Maybe it doesn't happen when tainting is on
as well. Matthais can't rely on absolute paths, but he can always force
MacPerl to work only when the relative path to :lib is unchanged.

-------
Paul J. Schinder
NASA Goddard Space Flight Center
Code 693
Greenbelt, MD 20771
schinder@leprss.gsfc.nasa.gov

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

Prev by Date: [MacPerl] Re: Configuring Forms with MacPerl
Next by Date: Re: [MacPerl] Re: Configuring Forms with MacPerl
Prev by thread: Re: [MacPerl] taint checks and CGI.pm
Next by thread: Re: [MacPerl] taint checks and CGI.pm
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net