Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

How do I get scripts to run with Taint mode on IIS?

by radiantmatrix (Parson)
on Jan 12, 2005 at 20:25 UTC ( #421751=perlquestion: print w/replies, xml ) Need Help??

radiantmatrix has asked for the wisdom of the Perl Monks concerning the following question:

IIS doesn't respect the #! line, so one would normally have to edit the association for Perl CGI to all run in taint mode (using the -T switch). However, this can break other people's code. Thanks to diotalevi, there is a way to turn on Taint checking for one particular script, at a slight performance cost:
BEGIN { unless ( ${^TAINT} ) { exec $^X, '-T', $0 } }
Placed as the very first line in the script (even before you 'use' anything), this will re-call the Perl interpreter on one's script, and even preserves the CGI parameters in the process. There is a small hit on speed, as the interpreter loads twice, but the hit is better than running without tainting.

Of course, the real solution is to use a better-equipped web server; but as that's not always an option...

Originally posted as a Categorized Question.

Replies are listed 'Best First'.
Re: How do I get scripts to run with Taint mode on IIS?
by legato (Monk) on Jan 13, 2005 at 19:00 UTC
    Unfortunately, IIS doesn't respect the shebang in CGI or ISAPI mode. One can change the CGI association from C:\Perl\bin\perl.exe "%s" %s to C:\Perl\bin\perl.exe -T "%s" %s -- but that may break other scripts, as it turns tainting on for all Perl scripts. Also, it can be very hard to do that when one doesn't have admin rights on a given server, but still wants to use the benefits associated with tainting.
Re: How do I get scripts to run with Taint mode on IIS?
by Ovid (Cardinal) on Jan 12, 2005 at 21:48 UTC

    Is it that IIS doesn't respect the switches on the command line or ISAPI ignores the switches because it already has a Perl interpreter running? If you setup IIS to run scripts as CGIs instead of ISAPI, do you get the same behavior? I don't believe you do.

Re: How do I get scripts to run with Taint mode on IIS?
by gellyfish (Monsignor) on Jan 14, 2005 at 09:48 UTC

    A further discussion of Tainting with respect to IIS is given in the NMS FAQ

    /J\

Re: How do I get scripts to run with Taint mode on IIS?
by sithsasquatch (Scribe) on Jul 13, 2005 at 22:57 UTC
    I had the same problem (and asked about it a week ago, b/c I somehow missed this post in the Q&A when I searched). What I did was configure IIS to use taint mode Perl (using C:\Perl\bin\perl.exe -T "%s" %s ) with a specific file extension, such as .tcgi or .tpl. Then to make the scripts run taint mode, simply change the extension to whatever you set up in IIS, such as .tcgi or .tpl.
Re: How do I get scripts to run with Taint mode on IIS?
by saskaqueer (Friar) on Jan 14, 2005 at 19:25 UTC
    There is a small hit on speed, as the interpreter loads twice, but the hit is better than running without tainting.

    I have to disagree in respect to the performance hit being better than running sans taint mode. If you as a programmer really know what you are doing in a public environment such as CGI, then taint mode is not that necessary. As long as you take all the proper precautions as you would while under taint mode, then you will be fine.

    Now, someone will most likely counter this claim with the "well, what if you forget to check for something?" question. Quite true, but like I said, such a thing wouldn't likely occur to someone who knows what they are doing.

      It's very easy to say "well, you can do taint checking without taint mode on". And yes, you are right. But your comment "such a thing wouldn't likely occur to someone who knows what they are doing." is counter-intuitive.

      A good programmer thinks not only of what (s)he is capable of, but also that the code will be maintained in the future -- maybe by someone else. Not using tainting invites three forms of disaster:

      1. Mistakes in untainting (this is analogous to why good programmers use strictures)
      2. Tainting introduced accidentally during a "quick revision"
      3. Tainting introduced by another developer during maintainance.
      If all one is doing involves validating a name and email address or some such simplicity, then perhaps tainting isn't absolutely necessary, but when one is dealing with large amounts of data, it is.

      For this solution, the performance hit is quite tiny. In large environments where performance would be a significant issue, one would likely be able to make the case with the admin staff to set up a perl -T association.

      Anima Legato
      .oO all things connect through the motion of the mind

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://421751]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (3)
As of 2021-09-18 19:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?