S
sekdab
Hello all.
I am teaching myself Perl and have written a CGI script that allows a
user to change his/her Apache password by calling "htaccess" in batch
mode via a set of backticks (intranet only!).
The script is running perfectly, however, I'd really like to place it
in taint mode so that I can learn the right way. However, when I do
that, it breaks. Here is a snippet where things go amiss:
$!/opt/perl/bin/perl -wT
use strict;
use CGI;
my $pass=$q->param("pass");
my $pass_ck=$q->param("pass_ck");
my $user=$q->remote_user;
my $pcmd='/opt/apache/bin/htpasswd -b';
my $auth='/usa/auth/passwd';
$ENV{PATH}='/usr/bin';
#... - Subroutines to Create HTML Snipped out - ...#
if ( $pass && $pass_ck ) {
if ( $pass eq $pass_ck ) {
if ( $pass =~ /^[A-Za-z0-9]+$/ ) {
$pass = $1;
my $output=`$pcmd $auth $user $pass 2>&1`;
chomp($output);
if ( $output eq "Updating password for user $user" ) {
print "PASSWORD CHANGE OKAY";
} else {
print "ERROR CHANGING PASSWORD";
}
} else {
print "PASSWORD FAILED - NON ALPHANUMERIC";
}
} else {
print "PASSWORDS DO NOT MATCH";
}
}
The form is basically, "enter new password," "enter new password
again," and "submit." So, first I ensure that the passwords entered
are not null, and then verify that they match. After that (the third
if) I try to untaint the $pass variable.
I check to ensure that it is alphanumeric and then assign it to $1.
After which, I place it in the shell execution backticks. However,
both $1 and $pass are null now, and the execution fails.
The error coming from Perl is:
"Use of uninitialized value in concatenation (.) or string at
/usa/perl/change_pass.pl line 67."
That line is where I declare and set $ouput (i.e. the backtick
execution).
I'm stumped. I really want to learn this the right way first time
around and get things working with taint. I love the concept behind
it, just having trouble with the implementation.
My appreciation for any assistance,
Tom
I am teaching myself Perl and have written a CGI script that allows a
user to change his/her Apache password by calling "htaccess" in batch
mode via a set of backticks (intranet only!).
The script is running perfectly, however, I'd really like to place it
in taint mode so that I can learn the right way. However, when I do
that, it breaks. Here is a snippet where things go amiss:
$!/opt/perl/bin/perl -wT
use strict;
use CGI;
my $pass=$q->param("pass");
my $pass_ck=$q->param("pass_ck");
my $user=$q->remote_user;
my $pcmd='/opt/apache/bin/htpasswd -b';
my $auth='/usa/auth/passwd';
$ENV{PATH}='/usr/bin';
#... - Subroutines to Create HTML Snipped out - ...#
if ( $pass && $pass_ck ) {
if ( $pass eq $pass_ck ) {
if ( $pass =~ /^[A-Za-z0-9]+$/ ) {
$pass = $1;
my $output=`$pcmd $auth $user $pass 2>&1`;
chomp($output);
if ( $output eq "Updating password for user $user" ) {
print "PASSWORD CHANGE OKAY";
} else {
print "ERROR CHANGING PASSWORD";
}
} else {
print "PASSWORD FAILED - NON ALPHANUMERIC";
}
} else {
print "PASSWORDS DO NOT MATCH";
}
}
The form is basically, "enter new password," "enter new password
again," and "submit." So, first I ensure that the passwords entered
are not null, and then verify that they match. After that (the third
if) I try to untaint the $pass variable.
I check to ensure that it is alphanumeric and then assign it to $1.
After which, I place it in the shell execution backticks. However,
both $1 and $pass are null now, and the execution fails.
The error coming from Perl is:
"Use of uninitialized value in concatenation (.) or string at
/usa/perl/change_pass.pl line 67."
That line is where I declare and set $ouput (i.e. the backtick
execution).
I'm stumped. I really want to learn this the right way first time
around and get things working with taint. I love the concept behind
it, just having trouble with the implementation.
My appreciation for any assistance,
Tom