For my own reference, a Perl CGI script to dump out received parameters, taint mode status, and Perl's internal configuration. In order to run taint scripts on Microsoft IIS (version 5.1 on Windows XP Pro SP2) with ActivePerl I had to create a mapping (Default Web Site Properties → Home Directory → Configuration... → Mappings) for files with a .tpl extension to execute with C:\Perl\bin\perl.exe -T "%s" %s; otherwise I'd get an error about "-T" is on the #! line, it must also be used on the command line.
Here's the script:#!/usr/bin/perl -wT
use strict;
use warnings;
use CGI::Pretty qw(:standard fatalsToBrowser);
use Config;
print header, start_html('CGI test page');
print p('Taint mode ON!') if is_tainted($ENV{PATH});
print h1('Received CGI parameters'), Dump if param;
print h1('Environment');
my $env_list;
foreach (keys %ENV) { $env_list .= dt($_) . dd($ENV{$_}) }
print dl($env_list);
print h1('Perl configuration');
print pre(Config::myconfig);
print end_html;
sub is_tainted {
return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
}
Posts
It's not fun recording a bunch of video.. with no audio
-
Arg! The Kodak ZI8 doesn't remember your microphone gain settings between power ups. Not a problem when you are using...
4 days ago
2 comments:
Scalar::Util contains "tainted", which works a lot less harder than you did.
True enough, but unfortunately one of the web servers I need to use is only running Perl 5.6.1 which doesn't include that module by default. So I took an example from the Camel 3rd edition, which I've since changed to the example in perlsec since it seems cleaner.
It would be nice if I ran that server and could upgrade Perl, but then again if I ran it I wouldn't be using something like IIS.
And by the way, welcome to my blog! How'd you find me here?
Post a Comment