How to unable the use of tainted mode in a CGI script ?

Discussion in 'Perl Misc' started by Azol, Sep 22, 2008.

  1. Azol

    Azol Guest

    Hello.

    I have to use a long perl script which use the "tainted mode" (-T
    option), but the hoster we use doesn't allow this option unless on
    dedicated server (and, of course, we can't pay a dedicated server).

    What I have to do to remove the tainted mode in the script ?

    I'm using PERL sometimes, but don't know very well what implies this
    "tainted mode" option. However, I suppose removing the "-T" on bash line
    isn't enough :(

    Could you tell me, please.
    Azol, Sep 22, 2008
    #1
    1. Advertising

  2. Azol <azol@non-non-non> writes:

    > Hello.
    >
    > I have to use a long perl script which use the "tainted mode" (-T
    > option), but the hoster we use doesn't allow this option unless on
    > dedicated server (and, of course, we can't pay a dedicated server).


    Very strange. You might consider looking for another hosting
    company. I've never heard of anything like that.

    > What I have to do to remove the tainted mode in the script ?


    Just remove the -T option. That's really all it takes (taint mode can
    only be enabled at the very start of the program).

    --
    Joost Diepenmaat | blog: http://joost.zeekat.nl/ | work: http://zeekat.nl/
    Joost Diepenmaat, Sep 22, 2008
    #2
    1. Advertising

  3. Azol

    John Bokma Guest

    Azol <azol@non-non-non> wrote:

    > I'm using PERL sometimes,


    Perl is not an acronym; perl is the name of the executable that runs your
    Perl program.

    > but don't know very well what implies this
    > "tainted mode" option.


    perldoc -q taint
    which points to "Laundering and Detecting Tainted Data" in perlsec
    (i.e. perldoc perlsec )

    "
    This flag is *strongly* suggested for server programs and any program
    run on behalf of someone else, such as a CGI script. Once taint mode is
    on, it's on for the remainder of your script.
    "

    --
    John http://johnbokma.com/ - Hacking & Hiking in Mexico

    Perl help in exchange for a gift:
    http://johnbokma.com/perl/help-in-exchange-for-a-gift.html
    John Bokma, Sep 22, 2008
    #3
  4. Azol

    smallpond Guest

    On Sep 22, 1:17 pm, Azol <azol@non-non-non> wrote:
    > Hello.
    >
    > I have to use a long perl script which use the "tainted mode" (-T
    > option), but the hoster we use doesn't allow this option unless on
    > dedicated server (and, of course, we can't pay a dedicated server).
    >
    > What I have to do to remove the tainted mode in the script ?
    >
    > I'm using PERL sometimes, but don't know very well what implies this
    > "tainted mode" option. However, I suppose removing the "-T" on bash line
    > isn't enough :(
    >
    > Could you tell me, please.


    On a shared server it is quite reasonable for the CGI to run tainted.
    Read perlsec for information on untainting received parameters and
    what is not allowed. If you post the failing code, we could suggest
    proper ways to do what you want.

    --S
    smallpond, Sep 22, 2008
    #4
  5. Azol

    Guest

    Azol <azol@non-non-non> wrote:
    > Hello.
    >
    > I have to use a long perl script which use the "tainted mode" (-T
    > option), but the hoster we use doesn't allow this option unless on
    > dedicated server (and, of course, we can't pay a dedicated server).



    I would consider finding another host. They seem to have things backwards.
    If I'm sharing a server with random other people, I want them to be forced
    to use -T, not forbidden from it.


    > What I have to do to remove the tainted mode in the script ?


    Remove the -T.

    > I'm using PERL sometimes, but don't know very well what implies this
    > "tainted mode" option. However, I suppose removing the "-T" on bash line
    > isn't enough :(


    If it isn't, then I have no idea what is going on. It is probably a
    weirdness peculiar to your hosting environment.


    Xho

    --
    -------------------- http://NewsReader.Com/ --------------------
    The costs of publication of this article were defrayed in part by the
    payment of page charges. This article must therefore be hereby marked
    advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
    this fact.
    , Sep 22, 2008
    #5
  6. Azol

    Tim Greer Guest

    Azol wrote:

    > Hello.
    >
    > I have to use a long perl script which use the "tainted mode" (-T
    > option), but the hoster we use doesn't allow this option unless on
    > dedicated server (and, of course, we can't pay a dedicated server).
    >
    > What I have to do to remove the tainted mode in the script ?
    >
    > I'm using PERL sometimes, but don't know very well what implies this
    > "tainted mode" option. However, I suppose removing the "-T" on bash
    > line isn't enough :(
    >
    > Could you tell me, please.


    What do you mean that your host won't allow you to use Taint mode? Do
    you mean they don't allow Perl, or actually don't allow you to use
    Taint mode? That seems crazy, are you sure that's the case and there
    wasn't some misunderstanding about the question or feature? I can't
    imagine anyone in their right mind denying a user from using a switch
    that helps keep your site (and by proxy, their service your site runs
    on) from being exposed to problems with a potentially insecure portion
    of your code? Is your script perhaps set to run in the background,
    launching a child process or something? This is a really strange thing
    to hear.
    --
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
    and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
    Industry's most experienced staff! -- Web Hosting With Muscle!
    Tim Greer, Sep 23, 2008
    #6
  7. Azol

    Tim Greer Guest

    Azol wrote:

    > Hello.
    >
    > I have to use a long perl script which use the "tainted mode" (-T
    > option), but the hoster we use doesn't allow this option unless on
    > dedicated server (and, of course, we can't pay a dedicated server).
    >
    > What I have to do to remove the tainted mode in the script ?
    >
    > I'm using PERL sometimes, but don't know very well what implies this
    > "tainted mode" option. However, I suppose removing the "-T" on bash
    > line isn't enough :(
    >
    > Could you tell me, please.


    Also, and this isn't something I'd usually suggest, if you plan to stay
    with a host that (if what you say is true), is truly clueless enough to
    not allow Taint to be used, then look here and upload the following:
    http://www.cpan.org/modules/by-module/Taint/ and call that in your
    script. I still get the impression that whatever tech representative
    you spoke with or emailed at your host, likely didn't understand your
    question, but if it fails with Taint mode on, be sure it's not your
    script that's causing it to fail, and be sure they really don't allow
    this to be switched on, because that is very strange.
    --
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
    and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
    Industry's most experienced staff! -- Web Hosting With Muscle!
    Tim Greer, Sep 23, 2008
    #7
  8. Azol

    Peter Scott Guest

    On Mon, 22 Sep 2008 19:17:48 +0200, Azol wrote:
    > I have to use a long perl script which use the "tainted mode" (-T
    > option), but the hoster we use doesn't allow this option unless on
    > dedicated server (and, of course, we can't pay a dedicated server).


    I'm curious; what happens if you run a trivial CGI program with -T on this
    host? Because I can't figure out how they would prohibit -T without
    building perl from a customized source, and I cannot fathom a
    justification for doing so.

    --
    Peter Scott
    http://www.perlmedic.com/
    http://www.perldebugged.com/
    Peter Scott, Sep 23, 2008
    #8
  9. Peter Scott <> writes:

    > I'm curious; what happens if you run a trivial CGI program with -T on this
    > host? Because I can't figure out how they would prohibit -T without
    > building perl from a customized source


    They could be running them in mod_perl's CGI emulation. Taint mode
    must be specified when the interpreter is started. So if you have a
    script that's running in Apache::Registry that has a -T in the #!
    line, and the sysadmin hasn't enabled Taint mode globally with the
    "PerlTaintCheck On" directive in httpd.conf, then you'll get a warning
    to the effect that it's too late to use -T.

    Come to think of it, you might get that warning whether Taint mode is
    enabled globally or not - I've never tried using -T when it's already
    been enabled with PerlTaintCheck.

    sherm--

    --
    My blog: http://shermspace.blogspot.com
    Cocoa programming in Perl: http://camelbones.sourceforge.net
    Sherm Pendley, Sep 23, 2008
    #9
  10. Azol

    Azol Guest

    In article <CJZBk.113$>, says...
    > Azol wrote:
    >
    > > Hello.
    > >
    > > I have to use a long perl script which use the "tainted mode" (-T
    > > option), but the hoster we use doesn't allow this option unless on
    > > dedicated server (and, of course, we can't pay a dedicated server).
    > >
    > > What I have to do to remove the tainted mode in the script ?
    > >
    > > I'm using PERL sometimes, but don't know very well what implies this
    > > "tainted mode" option. However, I suppose removing the "-T" on bash
    > > line isn't enough :(
    > >
    > > Could you tell me, please.

    >
    > What do you mean that your host won't allow you to use Taint mode? Do
    > you mean they don't allow Perl, or actually don't allow you to use
    > Taint mode? That seems crazy, are you sure that's the case and there
    > wasn't some misunderstanding about the question or feature? I can't
    > imagine anyone in their right mind denying a user from using a switch
    > that helps keep your site (and by proxy, their service your site runs
    > on) from being exposed to problems with a potentially insecure portion
    > of your code? Is your script perhaps set to run in the background,
    > launching a child process or something? This is a really strange thing
    > to hear.
    >


    Thanks to all of you : it's very cool to get all of your returns :)

    Yes, it's the reply of their support : remove the -T option : oops :(
    Their site is http://www.1and1.fr/

    Also, effectively, the script manage a child process : what do you think
    about that ?
    Azol, Sep 23, 2008
    #10
  11. Azol

    Azol Guest

    In article <>,
    says...
    > On Mon, 22 Sep 2008 19:17:48 +0200, Azol wrote:
    > > I have to use a long perl script which use the "tainted mode" (-T
    > > option), but the hoster we use doesn't allow this option unless on
    > > dedicated server (and, of course, we can't pay a dedicated server).

    >
    > I'm curious; what happens if you run a trivial CGI program with -T on this
    > host? Because I can't figure out how they would prohibit -T without
    > building perl from a customized source, and I cannot fathom a
    > justification for doing so.
    >
    >


    Well, I've tried with this trivial CGI :

    #!/usr/bin/perl -T
    use strict;
    use warnings;
    print "Content-type: text/html\n\n<HTML><BODY><P>Hello World !</P>
    </BODY></HTML>";
    exit 0;

    It returns a "Error 500 - Internal server error" with -T
    It works without -T

    So, its seems 1and1.fr really doesn't allow the tainted mode.
    Azol, Sep 23, 2008
    #11
  12. Azol

    Azol Guest

    In article <CJZBk.113$>, says...
    > What do you mean that your host won't allow you to use Taint mode? Do
    > you mean they don't allow Perl, or actually don't allow you to use
    > Taint mode?
    >


    They allow Perl, but not the -T option (so, tainted mode)
    Azol, Sep 23, 2008
    #12
  13. Azol <azol@non-non-non> writes:

    > Well, I've tried with this trivial CGI :
    >
    > #!/usr/bin/perl -T
    > use strict;
    > use warnings;
    > print "Content-type: text/html\n\n<HTML><BODY><P>Hello World !</P>
    > </BODY></HTML>";
    > exit 0;


    You don't need exit() here; it's only needed when you want to
    interrupt the normal flow of execution.

    > It returns a "Error 500 - Internal server error" with -T


    That's just a generic error that essentially means "something went
    wrong." The actual error message that was printed by Perl is in the
    web server's error log.

    > It works without -T
    >
    > So, its seems 1and1.fr really doesn't allow the tainted mode.


    Maybe. What's in the error log?

    sherm--

    --
    My blog: http://shermspace.blogspot.com
    Cocoa programming in Perl: http://camelbones.sourceforge.net
    Sherm Pendley, Sep 23, 2008
    #13
  14. Azol

    Tim Greer Guest

    Azol wrote:

    > In article <CJZBk.113$>, says...
    >> Azol wrote:
    >>
    >> > Hello.
    >> >
    >> > I have to use a long perl script which use the "tainted mode" (-T
    >> > option), but the hoster we use doesn't allow this option unless on
    >> > dedicated server (and, of course, we can't pay a dedicated server).
    >> >
    >> > What I have to do to remove the tainted mode in the script ?
    >> >
    >> > I'm using PERL sometimes, but don't know very well what implies
    >> > this "tainted mode" option. However, I suppose removing the "-T" on
    >> > bash line isn't enough :(
    >> >
    >> > Could you tell me, please.

    >>
    >> What do you mean that your host won't allow you to use Taint mode?
    >> Do you mean they don't allow Perl, or actually don't allow you to use
    >> Taint mode? That seems crazy, are you sure that's the case and there
    >> wasn't some misunderstanding about the question or feature? I can't
    >> imagine anyone in their right mind denying a user from using a switch
    >> that helps keep your site (and by proxy, their service your site runs
    >> on) from being exposed to problems with a potentially insecure
    >> portion
    >> of your code? Is your script perhaps set to run in the background,
    >> launching a child process or something? This is a really strange
    >> thing to hear.
    >>

    >
    > Thanks to all of you : it's very cool to get all of your returns :)
    >
    > Yes, it's the reply of their support : remove the -T option : oops :(
    > Their site is http://www.....fr/
    >
    > Also, effectively, the script manage a child process : what do you
    > think about that ?


    I had just suggested that perhaps they didn't understand the question,
    not that you were running something in the background, but just an
    example of a misunderstanding that perhaps they were saying something
    else wasn't allowed (if you were using Taint mode in that non allowed
    script).
    --
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
    and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
    Industry's most experienced staff! -- Web Hosting With Muscle!
    Tim Greer, Sep 24, 2008
    #14
  15. Azol

    Tim Greer Guest

    Azol wrote:

    > In article <CJZBk.113$>, says...
    >> What do you mean that your host won't allow you to use Taint mode?
    >> Do you mean they don't allow Perl, or actually don't allow you to use
    >> Taint mode?
    >>

    >
    > They allow Perl, but not the -T option (so, tainted mode)


    Right, I got that part. Odd that they don't allow it.
    --
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
    and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
    Industry's most experienced staff! -- Web Hosting With Muscle!
    Tim Greer, Sep 24, 2008
    #15
  16. Azol

    Azol Guest

    In article <>, says...
    > > It returns a "Error 500 - Internal server error" with -T

    >
    > That's just a generic error that essentially means "something went
    > wrong." The actual error message that was printed by Perl is in the
    > web server's error log.
    >
    > > [quoted text muted]
    > > It works without -T
    > >
    > > So, its seems 1and1.fr really doesn't allow the tainted mode.

    >
    > Maybe. What's in the error log?
    >


    OK, Sherm, thanks for your help.

    Here is what I get in access.log when I run hello_tainted.pl (so with -T
    of course)

    88.123.74.251 - - [26/Sep/2008:11:53:36 +0200] "GET /cgi-
    bin/hello_tainted.pl HTTP/1.0" 200 669 sankyogo.com "-" "Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727)" "-"

    And this same CGI works if I remove -T as said in a previous post.

    Does-it give you an idea ?
    Azol, Sep 26, 2008
    #16
  17. Azol <azol@non-non-non> writes:

    >> > So, its seems 1and1.fr really doesn't allow the tainted mode.

    >>
    >> Maybe. What's in the error log?


    > Here is what I get in access.log when I run hello_tainted.pl (so with -T
    > of course)


    The access log and error log contains quite different information. So
    when asked for the error log there is only a very minimal chance that
    the access log contains the needed information.

    //Makholm
    Peter Makholm, Sep 26, 2008
    #17
  18. Azol

    Azol Guest

    In article <>, says...
    > The access log and error log contains quite different information. So
    > when asked for the error log there is only a very minimal chance that
    > the access log contains the needed information.
    >


    Yes, but there's not any error.log in the log directory, so, maybe
    access.log combinate acceses and errors in a same file here.
    Azol, Sep 26, 2008
    #18
  19. Azol

    Tim Greer Guest

    Azol wrote:

    > In article <>, says...
    >> The access log and error log contains quite different information. So
    >> when asked for the error log there is only a very minimal chance that
    >> the access log contains the needed information.
    >>

    >
    > Yes, but there's not any error.log in the log directory, so, maybe
    > access.log combinate acceses and errors in a same file here.


    Where is your log directory? Are you looking for the error log in the
    log directory for the web server? A lot of hosts have individual
    directories for user's domain logs, or one central location, while the
    actual error logs are usually still located in the standard log
    location for the web service (wherever that might be, depending on
    their configuration and type of service). Ask your host if you're
    unsure.

    By the way, that access log alone showed a 200 response, rather than a
    500 response, so it made it appear as though, from the access log
    standpoint anyway, that it's working (this is why you need to locate
    and show the associated log entry from the error log, when you test the
    script and have it fail). Did you ask your host to clarify how/why
    Taint isn't working?
    --
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
    and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
    Industry's most experienced staff! -- Web Hosting With Muscle!
    Tim Greer, Sep 26, 2008
    #19
  20. Azol

    Azol Guest

    In article <r59Dk.75755$>,
    says...
    > Where is your log directory? Are you looking for the error log in the
    > log directory for the web server? A lot of hosts have individual
    > directories for user's domain logs, or one central location, while the
    > actual error logs are usually still located in the standard log
    > location for the web service (wherever that might be, depending on
    > their configuration and type of service). Ask your host if you're
    > unsure.


    OK, not any error.log in my account... I ask the support about this.
    Thanks for your advice, Tim.

    >
    > By the way, that access log alone showed a 200 response, rather than a
    > 500 response, so it made it appear as though, from the access log
    > standpoint anyway, that it's working (this is why you need to locate
    > and show the associated log entry from the error log, when you test the
    > script and have it fail). Did you ask your host to clarify how/why
    > Taint isn't working?
    >


    Here is the reply from the hoster's support (in French) :

    "Nous vous informons qu'il ne sera pas possible d'utiliser cette
    fonction sur de l'hébergement mutualisé. Vous devez pour cela vous
    tourner vers les offres de serveurs privés, ou l'accès Root vous
    permettra d'installer ce type de script."

    In English, it's something like :

    "We inform you that it will be not possible to use this function in a
    mutualised hosting. You must go to the private or dedicated servers
    offers, where the root access will alow you this kind of script"

    oops :(
    Azol, Sep 27, 2008
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John W. Long

    tainted symbols?

    John W. Long, Feb 20, 2004, in forum: Ruby
    Replies:
    6
    Views:
    285
    Carlos
    Feb 22, 2004
  2. Hadmut Danisch
    Replies:
    0
    Views:
    117
    Hadmut Danisch
    Oct 27, 2005
  3. rr_79

    Disabling tainted feature in Perl

    rr_79, Jan 3, 2007, in forum: Perl Misc
    Replies:
    1
    Views:
    105
    Brian McCauley
    Jan 3, 2007
  4. PerlFAQ Server
    Replies:
    0
    Views:
    129
    PerlFAQ Server
    Jan 14, 2011
  5. Replies:
    1
    Views:
    226
Loading...

Share This Page