Michael Peters wrote:
> jalex wrote:
>> I'm running mod_perl 2.0.2 under apache 2.0.54. After adding
>> "PerlSwitches
>> -wT" to my apache config, I wanted to test that I had taint mode was
>> indeed
>> working, so I wrote a test script that purposely misused a CGI parameter,
>> expecting the taint exception to be thrown. I was surprised to find it
>> was
>> not, so I wrote this small test case:
>> #!/usr/bin/perl -T

> Taint is not controlled by the shebang line on the script because taint it
> interpreter wide and must be turned on when the interpreter starts, IE
> when
> Apache starts.
> Try adding
> PerlSwitches -T
> to your httpd.conf

Note that the section you quoted says that I did exactly that. The -T is
also on the shebang line so that the same script will have taint enabled
when run from mod_cgi.

Also note that later in my post, I state that unsafe references to
environment variables trigger that taint exception as expected, so taint
mode does appear to be working in my mod_perl2 environment. CGI parameters,
however, when obtained through the CGI.pm param() method, are unexpectededly
not tainted.
View this message in context: http://www.nabble.com/CGI-%3Eparams%...html#a13913188
Sent from the mod_perl - General mailing list archive at Nabble.com.