Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Taint CGI param on IIS

by Discipulus (Canon)
on Oct 16, 2003 at 10:01 UTC ( [id://299697]=perlquestion: print w/replies, xml ) Need Help??

Discipulus has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks!!

I'm use unfortunatly IIS and when I'have started my cgi on this platform I have discovered the Too late for -T switch.. and I have read the wonderful post Alternatives to Taint Checking? and with the following code I try to resolve this deficency:
Could some wise monk review this ??

#!perl -w<P>

 use CGI qw/:all -nph/;
 $POST_MAX=100;
 $DISABLE_UPLOAD=1;
 $q=new CGI;<P>

#et cetera..<P>

$pattern=qr/(\w-]+\.){2,5}[a-zA-Z]{2,4}\b)/;
$good_param_qs=&taint_param('qs',$pattern );<P>

#do staff with almost-tainted param qs...............<P>

sub  taint_param()
 {
  $parametro=shift;
  $matching=shift;
  if ($q->param($parametro)=~/($matching)/){return $1}
  else{print"Invalid parameter!\n\n";return undef}
 }

[download]



greetings from sunny Roma
Lorenzo*

Replies are listed 'Best First'.
Re: Taint CGI param on IIS
by inman (Curate) on Oct 16, 2003 at 16:13 UTC
    The application that is called in reponse to a script is controlled by a list of associations configured in IIS. The method by which you manually make the association between any script and it's executable is described in the ActiveState documentation. Normally the association should have been configured if you selected the right install options.

    But in brief - Try this:

    1. Locate your script directory (e.g. cgi-bin) in the IIS admin console
    2. View the properties | Virtual Directory Tab
    3. Press the Configuration button.
    4. Either locate or create the .pl entry
    5. Enter the details shown below then test your app
    Executable = C:\Full\Path\perl.exe -T "%s" %s
    Extension = .pl
    Verbs - Limit to = GET, POST

    The perl executable appears to run OK with the extra option but you might want to check that it is actually doing any work!

    inman

[reply]
[d/l]
[select]
Re: Taint CGI param on IIS
by Abigail-II (Bishop) on Oct 16, 2003 at 10:06 UTC
    What exactly is your question? You're not using taint checking, and you're not doing anything that would trigger a taint check anyway. It's also not code that could trigger the message you describe, and there's no taint checking turned on.

    Abigail

[reply]
      oh scuse me
      on IIS u cannot turn-on taint check and I ask them if my code could be a almost-valid solutions

      lor*
[reply]

        You can run Perl with taint checking switched on, with IIS, though I will admit it's not as easy as with a proper web server such as Apache - which runs very well on NT systems.

        A long time ago when forced to use NT/IIS I ran into the same problem, and it's normal work-around - Taint with Perl on NT/IIS.


        --
        ajt
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://299697]
Approved by liz
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (7)
As of 2024-04-25 11:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found