--- Eric Wang <[EMAIL PROTECTED]> wrote:
> Thanks! can you explain what does the taint option do?
> I usually just use #!/script/perl.exe
>
> Thanks for your help!
> eric
Eric,
If you enable taint checking, any data coming into your program from outside of the
program is
considered "tainted". Perl tries to ensure that tainted data is not used to affect
anything
outside of the program and will kill the program rather than allow Bad Things to
happen. This
script will die if you try to run it:
#!/usr/bin/perl -wT
use strict;
my $file = <STDIN>;
chomp $file;
open "> $file" or die "Can't open $file for writing: $!";
Note that the "or die" is not what's killing the script. Trying to use a tainted
variable ($file)
to open a file for writing is what kills the script, assuming taint mode is enabled.
Trying to
read from the file is considered safe, however:
open "< $file" or die "Can't open $file for writing: $!";
Unfortunately, this causes problems in many programs where someone enters something
like
"/etc/passwd" in a CGI script and potentially gains access to info that they shouldn't
(of course,
that ignores that the system should be using shadow passwords, but this is just an
example). On
Unix-like systems, you can also append a pipe to the filename and that will cause an
attempt to
execute the file instead of opening it. That's why we have taint checking: it forces
us to
examine these variables and make sure that the data is safe.
To learn more about taint checking and how to "untaint" a variable, open a command
prompt and type
"perldoc perlsec". This will also explain exactly what Perl considers tainted.
You can also read Lesson Three of my online CGI course and gain a *basic*
understanding of CGI
security:
http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
