John,
Without attempting to answer your question (because I'm not sure I fully
comprehend the situation), you may also want to read the `perldoc perlsec`
security documentation. It has a paragraph specifically about insecure
paths. Not sure it's the answer for you, but it might be.
Regards,
Brad
On Mon, 27 Oct 2003, John E Guillory wrote:
> I just taint gettin' this taint thing. Please banish the darkness.
>
> I've got a cgi program that makes a call to a homegrown package.
> The homegrown package (I made successfully!) among several
> things tried to run this:
>
> $host = `hostname`;
>
> ....and of course it failed with this message in apache's error_log:
>
> 1) Insecure $ENV{PATH} while running setuid at
> /home/Louis/Perlib/LOUIS_utility.pm line 62.
> 2) Compilation failed in require at /home/Louis/Cgi-bin/lz0006.pl line 35.
> 3) BEGIN failed--compilation aborted at /home/Louis/Cgi-bin/lz0006.pl line
> 35.
>
> So I do some research into taintness in the "Cookbook" and find a receipe
> to untaint (with
> the regular caveats about security). I take the following code and insert
> it in my package
> to accomplish identifying the hostname, and guess what. My cgi program
> works but I still
> get the exact same message in the error_log above even after I "cp
> /dev/null" the error_log file
> in case I was looking at an old message. Here's the receipe code:
>
> die "cannot fork: $!" unless defined ($pid = open(SAFE, "|-"));
> if ($pid == 0) {
> exec('hostname') or die "can't exec hostname: $!";
> } else {
> $host = <SAFE>;
> close SAFE;
> }
>
> Perl baulks at the insecure env path in my package LOUIS_utility.pm and the
> calling
> cgi program lz0006.pl fails to compile. And yet it works! If somebody
> simply tells me
> that this is impossible, I will take a break and a deep breadth.
>
> Thank you for your time.
> John
