Re: how to turn on taint checking

2003-11-07 Thread Stas Bekman
Joshua N Pritikin wrote: [...] For a quick work-around, does anyone know how to tell perl that data is tainted? Looks like you need this module: http://search.cpan.org/~phoenix/Taint-0.09/Taint.pm __ Stas BekmanJAm_pH -

Re: how to turn on taint checking

2003-11-07 Thread Geoffrey Young
use Scalar::Util qw(tainted); # included with perl 5.8.x This works correctly: warn "path".tainted($ENV{PATH}); In fact, everything in %ENV is tainted except for GATEWAY_INTERFACE and MOD_PERL. sounds right. It looks like a bug in CGI::Simple in _parse_multipart or _add_param. if those mod

Re: how to turn on taint checking

2003-11-07 Thread Joshua N Pritikin
On Fri, Nov 07, 2003 at 10:18:45PM -0500, Geoffrey Young wrote: > >> PerlSwitches -T > > > >That's the right way. > > I'm not entirely sure, but IIRC, if you run a section or > PerlLoadModule before PerlSwitches its too late to specify taint mode. I > might be wrong, but it's worth checking.

Re: how to turn on taint checking

2003-11-07 Thread Geoffrey Young
you will get an error that PerlSwitches are ignored: Syntax error on line 104 of /home/stas/apache.org/mp2-cvs/t/conf/httpd.conf: mod_perl is already running, too late for PerlSwitches so there can be no confusion about it. cool. probably from Taint.pm (whose code is quite interesting if you t

Re: how to turn on taint checking

2003-11-07 Thread Stas Bekman
Geoffrey Young wrote: My apache2.conf contains: PerlSwitches -T That's the right way. I'm not entirely sure, but IIRC, if you run a section or PerlLoadModule before PerlSwitches its too late to specify taint mode. I might be wrong, but it's worth checking. It goes like this. There are s

Re: how to turn on taint checking

2003-11-07 Thread Geoffrey Young
My apache2.conf contains: PerlSwitches -T That's the right way. I'm not entirely sure, but IIRC, if you run a section or PerlLoadModule before PerlSwitches its too late to specify taint mode. I might be wrong, but it's worth checking. warn tainted(param('foo')); # false for any given

Re: how to turn on taint checking

2003-11-07 Thread Stas Bekman
Joshua N Pritikin wrote: Hi! My setup is really simple, and because of this, I can't figure out what is going wrong. I am running: Apache/2.0.47 (Debian GNU/Linux) mod_perl/1.99_10 Perl/v5.8.1 My apache2.conf contains: PerlSwitches -T That's the right way. SetHandler perl-script P

how to turn on taint checking

2003-11-07 Thread Joshua N Pritikin
Hi! My setup is really simple, and because of this, I can't figure out what is going wrong. I am running: Apache/2.0.47 (Debian GNU/Linux) mod_perl/1.99_10 Perl/v5.8.1 My apache2.conf contains: PerlSwitches -T SetHandler perl-script PerlResponseHandler OHL::CGI My CGI script