perl - mod_perl with taint mode on Windows - Stack Overflow

admin管理员组

文章数量:1123197

I'm trying to run taint mode on a Perl website, using mod_perl. This is upgrading an older application to use the latest Perl and libraries; it used to work and mostly still works, but file uploads are suddenly throwing errors.

Trying to upload a file gives the error Insecure dependency in sysopen while running with -T switch at /Perl/lib/File/Temp.pm line 517. Adding a stacktrace shows this is coming from ModPerl and then CGI, not the application code. CGI is trying to create a temp folder based on $ENV{TEMP}, but this is tainted so it throws an error.

I tried to fix this by changing $ENV{TEMP} to a hardcoded value in startup.pl within the Apache conf folder:

$ENV{TEMP} = 'C:/Temp/AppTempFolder';
warn "Set TEMP - " . is_tainted($ENV{TEMP});  # At least here $ENV{TEMP} is now untainted

Except it still doesn't work. If I edit CGI.pm (sub read_multipart) to print the same message, I get:

warn "tmp_dir is $tmp_dir - " . is_tainted($tmp_dir);
     #tmp_dir is C:/Temp/AppTempFolder - 1
warn "From: $ENV{TEMP} || $ENV{TMP} || $ENV{WINDIR}";
     #From: C:/Temp/AppTempFolder || C:\WINDOWS\TEMP || C:\WINDOWS

So it kept the new value of $ENV{TEMP}, but re-tainted it.

perlsec doesn't make any mention of values being re-tainted, and the examples suggest that there's nothing special about %ENV with regards to taint, only that they start out tainted.

Is there a way to either prevent this re-tainting of data, or a different way to set CGI up for reading file uploads to not rely on a tainted %ENV?

本文标签： perlmodperl with taint mode on WindowsStack Overflow