Taint Mode Seems to be Ignored

Taint Mode Seems to be Ignored

am 25.05.2010 16:26:20 von Nik Ogura

Hello.

Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.

I've noticed what seems to be a case of Taint mode being ignored with
respect to CGI params when running under mod_perl.

The following:

#!/usr/bin/perl -T

use strict;
use warnings;

$ENV{'PATH'} = "/bin:/usr/bin";
#delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

use CGI;
my $q = CGI->new;

my $foo = $q->param('foo');

open OF, "> /tmp/$foo";

print OF "blah blah blah";
close OF;

print "Content-type: text/html\n\n";

print "Taint: ${^TAINT}
";

print "done
";

Behaves normally when run without mod_perl, i.e. it tosses 500 errors
and screams bloody murder. However with the following setup: (only
relevant parts shown)

PerlTaintCheck On
PerlWarn On


Alias /cgi-bin/ /usr/lib/cgi-bin/


Options +ExecCGI -Multiviews

SetHandler perl-script
PerlOptions +ParseHeaders
PerlResponseHandler ModPerl::Registry




The cgi runs without error, opening files under /tmp based on CGI
parameter inputs. The taint mode flag shows that taint mode is enabled,
and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the
same with both PerlTaintCheck On and PerlSwitches -T.

What am I missing? I have production code that is apparently not as
protected as I would like.

Thanks in advance.

--
-Nik

Re: Taint Mode Seems to be Ignored

am 25.05.2010 23:03:37 von Scott Gifford

--001485f27162eb52610487717ee9
Content-Type: text/plain; charset=ISO-8859-1

Last I heard, taint mode in mod_perl didn't always work. See:

http://marc.info/?l=apache-modperl&m=119749949626698&w=2


That was a while back, maybe it's been fixed by now.

-----Scott.


On Tue, May 25, 2010 at 10:26 AM, Nik Ogura wrote:

> Hello.
>
> Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
>
> I've noticed what seems to be a case of Taint mode being ignored with
> respect to CGI params when running under mod_perl.
>
> The following:
>
> #!/usr/bin/perl -T
>
> use strict;
> use warnings;
>
> $ENV{'PATH'} = "/bin:/usr/bin";
> #delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
>
> use CGI;
> my $q = CGI->new;
>
> my $foo = $q->param('foo');
>
> open OF, "> /tmp/$foo";
>
> print OF "blah blah blah";
> close OF;
>
> print "Content-type: text/html\n\n";
>
> print "Taint: ${^TAINT}
";
>
> print "done
";
>
> Behaves normally when run without mod_perl, i.e. it tosses 500 errors
> and screams bloody murder. However with the following setup: (only
> relevant parts shown)
>
> PerlTaintCheck On
> PerlWarn On
>
>
> Alias /cgi-bin/ /usr/lib/cgi-bin/
>
>
> Options +ExecCGI -Multiviews
>
> SetHandler perl-script
> PerlOptions +ParseHeaders
> PerlResponseHandler ModPerl::Registry
>
>
>
>
> The cgi runs without error, opening files under /tmp based on CGI
> parameter inputs. The taint mode flag shows that taint mode is enabled,
> and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the
> same with both PerlTaintCheck On and PerlSwitches -T.
>
> What am I missing? I have production code that is apparently not as
> protected as I would like.
>
> Thanks in advance.
>
> --
> -Nik
>
>

--001485f27162eb52610487717ee9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Last I heard, taint mode in mod_perl didn't always work. =A0See:

r>
0 40px; border: none; padding: 0px;">
=3Dapache-modperl&m=3D119749949626698&w=3D2">http:// marc.info/?l=3D=
apache-modperl&m=3D119749949626698&w=3D2



That was a while back, maybe it's been=
fixed by now.

-----Scott.


class=3D"gmail_quote">On Tue, May 25, 2010 at 10:26 AM, Nik Ogura =3D"ltr"><=
> wrote:


x #ccc solid;padding-left:1ex;">Hello.



Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.



I've noticed what seems to be a case of Taint mode being ignored with r>
respect to CGI params when running under mod_perl.



The following:



=A0 =A0 =A0 =A0#!/usr/bin/perl -T



=A0 =A0 =A0 =A0use strict;

=A0 =A0 =A0 =A0use warnings;



=A0 =A0 =A0 =A0$ENV{'PATH'} =3D "/bin:/usr/bin";

=A0 =A0 =A0 =A0#delete @ENV{'IFS', 'CDPATH', 'ENV'=
, 'BASH_ENV'};



=A0 =A0 =A0 =A0use CGI;

=A0 =A0 =A0 =A0my $q =3D CGI->new;



=A0 =A0 =A0 =A0my $foo =3D $q->param('foo');



=A0 =A0 =A0 =A0open OF, "> /tmp/$foo";



=A0 =A0 =A0 =A0print OF "blah blah blah";

=A0 =A0 =A0 =A0close OF;



=A0 =A0 =A0 =A0print "Content-type: text/html\n\n";



=A0 =A0 =A0 =A0print "Taint: ${^TAINT}<br>";



=A0 =A0 =A0 =A0print "done<br>";



Behaves normally when run without mod_perl, i.e. it tosses 500 errors

and screams bloody murder. =A0However with the following setup: (only

relevant parts shown)



PerlTaintCheck =A0On

PerlWarn =A0 =A0 =A0 =A0On



<VirtualHost *:80>

=A0 =A0 =A0 =A0Alias =A0 /cgi-bin/ =A0 =A0 =A0 /usr/lib/cgi-bin/



=A0 =A0 =A0 =A0<Directory /usr/lib/cgi-bin>

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Options +ExecCGI -Multiviews



=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0SetHandler =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0perl-script

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0PerlOptions =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 +ParseHeaders

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0PerlResponseHandler =A0 =A0 =A0 =A0 =A0 =A0=
ModPerl::Registry

=A0 =A0 =A0 =A0</Directory>



</VirtualHost>



The cgi runs without error, opening files under /tmp based on CGI

parameter inputs. =A0The taint mode flag shows that taint mode is enabled,<=
br>
and if $ENV{PATH} is not cleaned, it throws errors. =A0The behavior is the<=
br>
same with both PerlTaintCheck On =A0and PerlSwitches -T.



What am I missing? =A0I have production code that is apparently not as

protected as I would like.



Thanks in advance.



--

-Nik






--001485f27162eb52610487717ee9--

Re: Taint Mode Seems to be Ignored

am 27.05.2010 01:08:41 von Nik Ogura

That sure explains what I'm seeing. I'll have to see if I can break
loose time to dig into the internals. We have too many less
sophisticated developers and cgi scripts running under Registry and
PerlRun to fully convert to Apache2::Request.

Thanks for the solution.

--
-Nik