For my own reference, a Perl CGI script to dump out received parameters, taint mode status, and Perl's internal configuration. In order to run taint scripts on Microsoft IIS (version 5.1 on Windows XP Pro SP2) with ActivePerl I had to create a mapping (Default Web Site Properties → Home Directory → Configuration... → Mappings) for files with a .tpl extension to execute with C:\Perl\bin\perl.exe -T "%s" %s; otherwise I'd get an error about "-T" is on the #! line, it must also be used on the command line.
Here's the script:#!/usr/bin/perl -wT
use strict;
use warnings;
use CGI::Pretty qw(:standard fatalsToBrowser);
use Config;
print header, start_html('CGI test page');
print p('Taint mode ON!') if is_tainted($ENV{PATH});
print h1('Received CGI parameters'), Dump if param;
print h1('Environment');
my $env_list;
foreach (keys %ENV) { $env_list .= dt($_) . dd($ENV{$_}) }
print dl($env_list);
print h1('Perl configuration');
print pre(Config::myconfig);
print end_html;
sub is_tainted {
return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
}
Posts
An Introduction to Graphviz and dot – O’Reilly Media
-
O’Reilly Media posted a nice intro to Graphviz I recently re-read that
reminded me how great a tool it is: “An Introduction to GraphViz and dot –
O'Reilly ...
1 week ago
2 comments:
Scalar::Util contains "tainted", which works a lot less harder than you did.
True enough, but unfortunately one of the web servers I need to use is only running Perl 5.6.1 which doesn't include that module by default. So I took an example from the Camel 3rd edition, which I've since changed to the example in perlsec since it seems cleaner.
It would be nice if I ran that server and could upgrade Perl, but then again if I ran it I wouldn't be using something like IIS.
And by the way, welcome to my blog! How'd you find me here?
Post a Comment