Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?


by BrentDax (Hermit)
on Sep 06, 2003 at 07:56 UTC ( #289432=sourcecode: print w/replies, xml ) Need Help??
Category: CGI Programming
Author/Contact Info Brent Dax (

This little chunk of code untaints the things in the environment that should be safe in CGI work, like the PATH.

I'm not quite sure why, but something about this seems...wrong somehow. I'm not sure I should release it to CPAN--any opinions are welcome.

package taint::CGI;

use 5.008;
use strict;
use warnings;
use warnings::register;

our $VERSION = '0.01';

sub untaint {
    $_[0]=($_[0] =~ m/(.*)/s)[0];

if(defined ${^TAINT}) {
    warnings::warnif("taint::CGI module used with taint mode off")
        unless ${^TAINT};

for(keys %ENV) {
    next if /^HTTPS?_/;
    untaint $ENV{$_};


=head1 NAME

taint::CGI - Clean up tainted values that are safe in CGI scripts


  use taint::CGI;
  system("foo");                    #ok
  system($ENV{HTTP_QUERY_STRING});  #still bad


taint::CGI is a module designed to be used in CGI scripts, where the 
full power of taint checking is unnecessary.  It removes the taint on 
most of the environment, leaving only the HTTP_* and HTTPS_* values 


Taint checking is always a wise idea when writing CGI scripts.  It hel
you catch stupid security bugs, like passing a CGI parameter into a 
system() call without checking it.  But it also checks for things that
CGI programs don't need to worry about too much, like a $PATH that has
been explicitly set.

C<taint::CGI> helps fix that.  It untaints most of the environment for
+ you, 
leaving the values the server (and often ultimately the user) gave you
+ alone.
Thus, you get the security of tainted user data without all the hassle
+ of 
mucking with your environment.

Note that this does I<not> remove the need to taint-check CGI paramete
Nor does it remove the need to put a -T or -t in your shebang line.  (
will warn you if you try to use it with tainting disabled, however.)  
merely removes a dozen or so boilerplate lines of code from your scrip

=head2 USAGE

A C<use taint::CGI;> statement untaints the safe parts of the environm
This happens at compile-time, not runtime.  It applies to all packages
+ and 

There is no built-in facility for re-tainting the environment.


=over 4

=item taint::CGI module used with taint mode off

This diagnostic is emitted when taint::CGI is used, but Perl was not s
with the -T or -t switch.  Try modifying the shebang line at the top o
+f your 
script, or comment out the call to taint::CGI.

=item Insecure dependency in %s

This diagnostic is emitted by Perl when taint checks are violated.  Ta
+ke a 
look at the indicated line number and operation, and see if you can fi
+gure out 
how it received a tainted argument.

=item Insecure directory in %s

Taint checks don't allow you to put a directory that's writable to all
+ users in 
your $PATH.  Sorry.  You'll have to explicitly set your $PATH to somet
+hing safe.

=item Insecure $ENV{%s} while running %s

If this diagnostic is emitted by Perl, this module probably isn't func
properly.  You should probably report it to the atuhor.


=head1 SEE ALSO


L<taint> (on versions of Perl that support it)

=head1 AUTHOR

Brent Dax, E<lt>brentdax@cpan.orgE<gt>


Copyright 2003 by Brent Dax.  All Rights Reserved.

This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself. 

Replies are listed 'Best First'.
•Re: taint::CGI
by merlyn (Sage) on Sep 06, 2003 at 12:58 UTC
    A "generic" untainting is always a bad idea. Either use tainting, or don't use it. If you're gonna untaint nearly everything anyway with no pattern checking that is domain specific, just turn tainting off.

    Bad idea. Definitely bad idea.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

Re: taint::CGI
by Anonymous Monk on Sep 06, 2003 at 08:16 UTC
    This shouldn't be a pragma, try something like CGI::EnvNtaint or Taint::EnvForCGI or Untaint::EnvForCGI. Also, there is no L<taint>, so you need to relink that. Also, you can make this work with 5.005 or older versions, so you might as well go ahead and do that.
    Just my 1 cent, John

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://289432]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (8)
As of 2021-01-20 11:29 GMT
Find Nodes?
    Voting Booth?