How to unable the use of tainted mode in a CGI script ?

T

Tim Greer

Azol said:
OK, not any error.log in my account... I ask the support about this.
Thanks for your advice, Tim.


Here is the reply from the hoster's support (in French) :

"Nous vous informons qu'il ne sera pas possible d'utiliser cette
fonction sur de l'hébergement mutualisé. Vous devez pour cela vous
tourner vers les offres de serveurs privés, ou l'accès Root vous
permettra d'installer ce type de script."

In English, it's something like :

"We inform you that it will be not possible to use this function in a
mutualised hosting. You must go to the private or dedicated servers
offers, where the root access will alow you this kind of script"

oops :(
Click to expand...

That is unfortunate, and wrong. I suggest you start looking for a
hosting provider that has a better idea of how this works. After all,
it's only to their advantage (and yours), to offer features that catch
a lot of potential mistakes in user's codes (that can ultimately save
their clients (and them) a lot of headaches about abuse reports). For
example, if some client has their script exploited, because the host
didn't allow their users to add some common and simple checks to
alert/warn or error when there's a significant goof in the code is
seen. Strange. I'd convey those concerns to them, if nothing else.
 
A

Azol

That is unfortunate, and wrong. I suggest you start looking for a
hosting provider that has a better idea of how this works.
Click to expand...

I've asked them more info about the reason why of their strange
decision... I'll see their reply.

Also, awaiting this, and knbowing I don't see any separated error.log
anywhere, I've tried to catch the error using :

use CGI::Carp qw/fatalsToBrowser/;

And it doesn't work : nothing special on browser's screen ? Does-it
means there again a special config on their side ?

:((
 
T

Tim Greer

Azol said:
I've asked them more info about the reason why of their strange
decision... I'll see their reply.

Also, awaiting this, and knbowing I don't see any separated error.log
anywhere, I've tried to catch the error using :

use CGI::Carp qw/fatalsToBrowser/;

And it doesn't work : nothing special on browser's screen ? Does-it
means there again a special config on their side ?

:((
Click to expand...

If -T is causing it to fail, it's pretty just like having invalid syntax
that would cause the script to error rather than execute. It can't
report an error in that way, if the script can't run. So, you'd have
it fail and error in a way that wouldn't relate to showing errors via
CGI::Carp, I'm sorry to say. That's not going to allow you to see
why/the error. Ask them where the error logs are located. Do you have
shell/ssh access? Do you have any control panel or interface where you
can view logs, or download them via FTP, or anything? Ultimately, you
should just get a better web host that understands the advantages to
allowing Taint (I honestly can't conceive of a reason why a host would
make an effort to NOT allow something that only helps their clients
create more secure scripts. I'd worry about what else they've done (or
have not done) that affects stability, security and efficiency).
 
A

Azol

If -T is causing it to fail, it's pretty just like having invalid syntax
that would cause the script to error rather than execute. It can't
report an error in that way, if the script can't run. So, you'd have
it fail and error in a way that wouldn't relate to showing errors via
CGI::Carp, I'm sorry to say. That's not going to allow you to see
why/the error. Ask them where the error logs are located. Do you have
shell/ssh access? Do you have any control panel or interface where you
can view logs, or download them via FTP, or anything? Ultimately, you
should just get a better web host that understands the advantages to
allowing Taint (I honestly can't conceive of a reason why a host would
make an effort to NOT allow something that only helps their clients
create more secure scripts. I'd worry about what else they've done (or
have not done) that affects stability, security and efficiency).
Click to expand...

You're right : this hoster is really bad.

Here is their last reply when I ask them more details about tainted mode
forbidding and the location where is error.log

In French :

Nous vous informons que ce fichier n'est accessible qu'à l'utilisateur
root sur le serveur.
Concernant le mode tainted, il s'agit de raisons techniques que nous ne
pouvons pas détailler ici.

So, in English :

We inform you that this file (error.log) is only accessible for the rrot
user.
About tainted mode, we can't tell you our technical reason (ie. it's
confidential and you're just a customer)

:(
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to use PDF-lib and how to center each line of texts on the page? 1
FAQ 9.1 What is the correct form of response from a CGI script? 0
How to get education and coding job coming from abroad starting new in the US? Advice of courses or places to look? 2
Use of CGI.pm filehandle with File::Copy::copy in taint mode 2
how to use system call within a cgi script 11
FAQ 9.14 How do I make sure users can't enter values into a form that cause my CGI script to do bad 4
Errin when executing a cgi script that sets a cookie in the browser 32
FAQ 9.14 How do I make sure users can't enter values into a form that cause my CGI script to do bad 0

Members online

No members online now.
Total: 38 (members: 2, guests: 36)
Robots: 284

Forum statistics

Threads
473,995
Messages
2,570,236
Members
46,822
Latest member
israfaceZa

Latest Threads

Top