I just taint gettin' this taint thing. Please banish the darkness.
I've got a cgi program that makes a call to a homegrown package.
The homegrown package (I made successfully!) among several
things tried to run this:
$host = `hostname`;
....and of course it failed with this message in apache's error_log:
1) Insecure $ENV{PATH} while running setuid at
/home/Louis/Perlib/LOUIS_utility.pm line 62.
2) Compilation failed in require at /home/Louis/Cgi-bin/lz0006.pl line 35.
3) BEGIN failed--compilation aborted at /home/Louis/Cgi-bin/lz0006.pl line
35.
So I do some research into taintness in the "Cookbook" and find a receipe
to untaint (with
the regular caveats about security). I take the following code and insert
it in my package
to accomplish identifying the hostname, and guess what. My cgi program
works but I still
get the exact same message in the error_log above even after I "cp
/dev/null" the error_log file
in case I was looking at an old message. Here's the receipe code:
die "cannot fork: $!" unless defined ($pid = open(SAFE, "|-"));
if ($pid == 0) {
exec('hostname') or die "can't exec hostname: $!";
} else {
$host = <SAFE>;
close SAFE;
}
Perl baulks at the insecure env path in my package LOUIS_utility.pm and the
calling
cgi program lz0006.pl fails to compile. And yet it works! If somebody
simply tells me
that this is impossible, I will take a break and a deep breadth.
Thank you for your time.
John
