How to unable the use of tainted mode in a CGI script ?

[Azol]

Hello.

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

What I have to do to remove the tainted mode in the script ?

I'm using PERL sometimes, but don't know very well what implies this
"tainted mode" option. However, I suppose removing the "-T" on bash line
isn't enough

Could you tell me, please.

 

[Joost Diepenmaat]

Hello.

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

Very strange. You might consider looking for another hosting
company. I've never heard of anything like that.

What I have to do to remove the tainted mode in the script ?

Just remove the -T option. That's really all it takes (taint mode can
only be enabled at the very start of the program).

 

[John Bokma]

I'm using PERL sometimes,

Perl is not an acronym; perl is the name of the executable that runs your
Perl program.

but don't know very well what implies this
"tainted mode" option.

perldoc -q taint
which points to "Laundering and Detecting Tainted Data" in perlsec
(i.e. perldoc perlsec )

"
This flag is *strongly* suggested for server programs and any program
run on behalf of someone else, such as a CGI script. Once taint mode is
on, it's on for the remainder of your script.
"

 

[smallpond]

Hello.

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

What I have to do to remove the tainted mode in the script ?

I'm using PERL sometimes, but don't know very well what implies this
"tainted mode" option. However, I suppose removing the "-T" on bash line
isn't enough

Could you tell me, please.

On a shared server it is quite reasonable for the CGI to run tainted.
Read perlsec for information on untainting received parameters and
what is not allowed. If you post the failing code, we could suggest
proper ways to do what you want.

--S

 

[xhoster]

Hello.

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

I would consider finding another host. They seem to have things backwards.
If I'm sharing a server with random other people, I want them to be forced
to use -T, not forbidden from it.

What I have to do to remove the tainted mode in the script ?

Remove the -T.

I'm using PERL sometimes, but don't know very well what implies this
"tainted mode" option. However, I suppose removing the "-T" on bash line
isn't enough

If it isn't, then I have no idea what is going on. It is probably a
weirdness peculiar to your hosting environment.


Xho

--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.

 

[Tim Greer]

Hello.

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

What I have to do to remove the tainted mode in the script ?

I'm using PERL sometimes, but don't know very well what implies this
"tainted mode" option. However, I suppose removing the "-T" on bash
line isn't enough

Could you tell me, please.

What do you mean that your host won't allow you to use Taint mode? Do
you mean they don't allow Perl, or actually don't allow you to use
Taint mode? That seems crazy, are you sure that's the case and there
wasn't some misunderstanding about the question or feature? I can't
imagine anyone in their right mind denying a user from using a switch
that helps keep your site (and by proxy, their service your site runs
on) from being exposed to problems with a potentially insecure portion
of your code? Is your script perhaps set to run in the background,
launching a child process or something? This is a really strange thing
to hear.

 

[Tim Greer]

Hello.

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

What I have to do to remove the tainted mode in the script ?

I'm using PERL sometimes, but don't know very well what implies this
"tainted mode" option. However, I suppose removing the "-T" on bash
line isn't enough

Could you tell me, please.

Also, and this isn't something I'd usually suggest, if you plan to stay
with a host that (if what you say is true), is truly clueless enough to
not allow Taint to be used, then look here and upload the following:
http://www.cpan.org/modules/by-module/Taint/ and call that in your
script. I still get the impression that whatever tech representative
you spoke with or emailed at your host, likely didn't understand your
question, but if it fails with Taint mode on, be sure it's not your
script that's causing it to fail, and be sure they really don't allow
this to be switched on, because that is very strange.

 

[Peter Scott]

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

I'm curious; what happens if you run a trivial CGI program with -T on this
host? Because I can't figure out how they would prohibit -T without
building perl from a customized source, and I cannot fathom a
justification for doing so.

 

[Sherm Pendley]

I'm curious; what happens if you run a trivial CGI program with -T on this
host? Because I can't figure out how they would prohibit -T without
building perl from a customized source

They could be running them in mod_perl's CGI emulation. Taint mode
must be specified when the interpreter is started. So if you have a
script that's running in Apache::Registry that has a -T in the #!
line, and the sysadmin hasn't enabled Taint mode globally with the
"PerlTaintCheck On" directive in httpd.conf, then you'll get a warning
to the effect that it's too late to use -T.

Come to think of it, you might get that warning whether Taint mode is
enabled globally or not - I've never tried using -T when it's already
been enabled with PerlTaintCheck.

sherm--

 

[Azol]

What do you mean that your host won't allow you to use Taint mode? Do
you mean they don't allow Perl, or actually don't allow you to use
Taint mode? That seems crazy, are you sure that's the case and there
wasn't some misunderstanding about the question or feature? I can't
imagine anyone in their right mind denying a user from using a switch
that helps keep your site (and by proxy, their service your site runs
on) from being exposed to problems with a potentially insecure portion
of your code? Is your script perhaps set to run in the background,
launching a child process or something? This is a really strange thing
to hear.

Thanks to all of you : it's very cool to get all of your returns

Yes, it's the reply of their support : remove the -T option : oops
Their site is http://www.1and1.fr/

Also, effectively, the script manage a child process : what do you think
about that ?

 

[Azol]

I'm curious; what happens if you run a trivial CGI program with -T on this
host? Because I can't figure out how they would prohibit -T without
building perl from a customized source, and I cannot fathom a
justification for doing so.

Well, I've tried with this trivial CGI :

#!/usr/bin/perl -T
use strict;
use warnings;
print "Content-type: text/html\n\n<HTML><BODY><P>Hello World !</P>
</BODY></HTML>";
exit 0;

It returns a "Error 500 - Internal server error" with -T
It works without -T

So, its seems 1and1.fr really doesn't allow the tainted mode.

 

[Azol]

What do you mean that your host won't allow you to use Taint mode? Do
you mean they don't allow Perl, or actually don't allow you to use
Taint mode?

They allow Perl, but not the -T option (so, tainted mode)

 

[Sherm Pendley]

Well, I've tried with this trivial CGI :

#!/usr/bin/perl -T
use strict;
use warnings;
print "Content-type: text/html\n\n<HTML><BODY><P>Hello World !</P>
</BODY></HTML>";
exit 0;

You don't need exit() here; it's only needed when you want to
interrupt the normal flow of execution.

It returns a "Error 500 - Internal server error" with -T

That's just a generic error that essentially means "something went
wrong." The actual error message that was printed by Perl is in the
web server's error log.

It works without -T

So, its seems 1and1.fr really doesn't allow the tainted mode.

Maybe. What's in the error log?

sherm--

 

[Tim Greer]

Thanks to all of you : it's very cool to get all of your returns

Yes, it's the reply of their support : remove the -T option : oops
Their site is http://www.....fr/

Also, effectively, the script manage a child process : what do you
think about that ?

I had just suggested that perhaps they didn't understand the question,
not that you were running something in the background, but just an
example of a misunderstanding that perhaps they were saying something
else wasn't allowed (if you were using Taint mode in that non allowed
script).

 

[Tim Greer]

They allow Perl, but not the -T option (so, tainted mode)

Right, I got that part. Odd that they don't allow it.

 

[Azol]

It returns a "Error 500 - Internal server error" with -T

That's just a generic error that essentially means "something went
wrong." The actual error message that was printed by Perl is in the
web server's error log.

[quoted text muted]
It works without -T

So, its seems 1and1.fr really doesn't allow the tainted mode.

Maybe. What's in the error log?

OK, Sherm, thanks for your help.

Here is what I get in access.log when I run hello_tainted.pl (so with -T
of course)

88.123.74.251 - - [26/Sep/2008:11:53:36 +0200] "GET /cgi-
bin/hello_tainted.pl HTTP/1.0" 200 669 sankyogo.com "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727)" "-"

And this same CGI works if I remove -T as said in a previous post.

Does-it give you an idea ?

 

[Peter Makholm]

Here is what I get in access.log when I run hello_tainted.pl (so with -T
of course)

The access log and error log contains quite different information. So
when asked for the error log there is only a very minimal chance that
the access log contains the needed information.

//Makholm

 

[Azol]

The access log and error log contains quite different information. So
when asked for the error log there is only a very minimal chance that
the access log contains the needed information.

Yes, but there's not any error.log in the log directory, so, maybe
access.log combinate acceses and errors in a same file here.

 

[Tim Greer]

Yes, but there's not any error.log in the log directory, so, maybe
access.log combinate acceses and errors in a same file here.

Where is your log directory? Are you looking for the error log in the
log directory for the web server? A lot of hosts have individual
directories for user's domain logs, or one central location, while the
actual error logs are usually still located in the standard log
location for the web service (wherever that might be, depending on
their configuration and type of service). Ask your host if you're
unsure.

By the way, that access log alone showed a 200 response, rather than a
500 response, so it made it appear as though, from the access log
standpoint anyway, that it's working (this is why you need to locate
and show the associated log entry from the error log, when you test the
script and have it fail). Did you ask your host to clarify how/why
Taint isn't working?

 

[Azol]

Where is your log directory? Are you looking for the error log in the
log directory for the web server? A lot of hosts have individual
directories for user's domain logs, or one central location, while the
actual error logs are usually still located in the standard log
location for the web service (wherever that might be, depending on
their configuration and type of service). Ask your host if you're
unsure.

OK, not any error.log in my account... I ask the support about this.
Thanks for your advice, Tim.

By the way, that access log alone showed a 200 response, rather than a
500 response, so it made it appear as though, from the access log
standpoint anyway, that it's working (this is why you need to locate
and show the associated log entry from the error log, when you test the
script and have it fail). Did you ask your host to clarify how/why
Taint isn't working?

Here is the reply from the hoster's support (in French) :

"Nous vous informons qu'il ne sera pas possible d'utiliser cette
fonction sur de l'hébergement mutualisé. Vous devez pour cela vous
tourner vers les offres de serveurs privés, ou l'accès Root vous
permettra d'installer ce type de script."

In English, it's something like :

"We inform you that it will be not possible to use this function in a
mutualised hosting. You must go to the private or dedicated servers
offers, where the root access will alow you this kind of script"

oops