I'm running mod_perl 2.0.2 under apache 2.0.54. After adding "PerlSwitches
-wT" to my apache config, I wanted to test that I had taint mode was indeed
working, so I wrote a test script that purposely misused a CGI parameter,
expecting the taint exception to be thrown. I was surprised to find it was
not, so I wrote this small test case:

#!/usr/bin/perl -T

use strict;
use warnings;

use CGI;

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

print "Content-type: text/plain\n\n";
my $q = new CGI;
my $junk = $q->param('log');
# eval($q->param('log'));
if (is_tainted($junk)){
print "Param tainted as expected\n";
} else {
print "Oops! Where's the taint?!?\n";
}
print "\n";
print "\$^TAINT=${^TAINT}", "\n";

sub is_tainted {
my $arg = shift;
my $nada = substr($arg, 0, 0);
local $@;
eval { eval "# $nada" };
return length($@) !=0;
}

This prints:

Oops! Where's the taint?!?

$^TAINT=1

under mod_perl2. Indeed, if I go ahead and eval $junk, as long as its valid
perl, mod_perl2 gamely evaluates it. If I instead test, for example,
environment variables, the taint exception does get thrown. Under mod_cgi,
the same script prints "Param tainted as expected". Is there a subtlety that
I'm missing here, or have I uncovered a pretty serious bug?

--
View this message in context: http://www.nabble.com/CGI-%3Eparams%...html#a13902824
Sent from the mod_perl - General mailing list archive at Nabble.com.