[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]
[PATCH] Documentation on taint/environment interactions for perlrun.pod
G'day p5p,
I've been looking at how Perl's environment variables interact with taint
mode, and I've prepared the following patches (attached) to document them a
little bit.
Patches generated with git-format-patch, which shows just how many attempts
it took for me to get them right, including me inserting and removing text.
Is this our preferred method for generating patches under git, or should I
be trying to produce more traditional single-file patches?
Cheerio,
Paul
--
Paul Fenwick <pjf@perltraining.com.au> | http://perltraining.com.au/
Director of Training | Ph: +61 3 9354 6001
Perl Training Australia | Fax: +61 3 9354 2681
From 80513b15ac0223a14660fb000cb75253ea2d1a58 Mon Sep 17 00:00:00 2001
From: Paul Fenwick <pjf@perltraining.com.au>
Date: Tue, 24 Jun 2008 13:29:09 +1000
Subject: [PATCH] Additional information on which enviornment variables interact with taint.
Specifically, under taint:
* PERLIO is completely ignored
* PERLLIB is completely ignored
* PERL5DB is respected! Don't leave your setuid programs with -d
on the shebang line.
* PERL5SHELL is checked as of 5.8.8 and 5.10.0. To be safe, you
should clean this yourself when running under Win32/taint.
---
pod/perlrun.pod | 16 ++++++++++++++++
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/pod/perlrun.pod b/pod/perlrun.pod
index a8458a8..b480a00 100644
--- a/pod/perlrun.pod
+++ b/pod/perlrun.pod
@@ -1093,6 +1093,9 @@ compiler's numeric file descriptor routines. There is an experimental native
C<win32> layer which is expected to be enhanced and should eventually be
the default under Win32.
+The PERLIO environment variable is completely ignored when perl
+is run in taint mode.
+
=item PERLIO_DEBUG
X<PERLIO_DEBUG>
@@ -1117,6 +1120,9 @@ A list of directories in which to look for Perl library
files before looking in the standard library and the current directory.
If PERL5LIB is defined, PERLLIB is not used.
+The PERLLIB environment variable is completely ignored when perl
+is run in taint mode.
+
=item PERL5DB
X<PERL5DB>
@@ -1124,6 +1130,11 @@ The command used to load the debugger code. The default is:
BEGIN { require 'perl5db.pl' }
+The PERL5DB environment variable only used when perl is started
+with the B<-d> switch. PERL5DB is respected even in taint mode,
+so you should never use the B<-d> switch on the shebang line of
+a setuid program.
+
=item PERL5DB_THREADED
X<PERL5DB_THREADED>
@@ -1146,6 +1157,11 @@ fit for interactive use, and setting COMSPEC to such a shell may
interfere with the proper functioning of other programs (which usually
look in COMSPEC to find a shell fit for interactive use).
+Before Perl 5.10.0 and 5.8.8, PERL5SHELL was not taint checked
+when running external commands. It is recommended that
+you explicitly set (or delete) C<$ENV{PERL5SHELL}> when running
+in taint mode under Windows.
+
=item PERL_ALLOW_NON_IFS_LSP (specific to the Win32 port)
X<PERL_ALLOW_NON_IFS_LSP>
--
1.5.2.2
From ab625c8004fd2827a07f0e126b33cd7ca0394b39 Mon Sep 17 00:00:00 2001
From: Paul Fenwick <pjf@perltraining.com.au>
Date: Tue, 24 Jun 2008 13:37:49 +1000
Subject: [PATCH] Looks like PERL5DB is only examined if a bare -d is used.
---
pod/perlrun.pod | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/pod/perlrun.pod b/pod/perlrun.pod
index b480a00..4bfa1d8 100644
--- a/pod/perlrun.pod
+++ b/pod/perlrun.pod
@@ -1130,10 +1130,10 @@ The command used to load the debugger code. The default is:
BEGIN { require 'perl5db.pl' }
-The PERL5DB environment variable only used when perl is started
-with the B<-d> switch. PERL5DB is respected even in taint mode,
-so you should never use the B<-d> switch on the shebang line of
-a setuid program.
+The PERL5DB environment variable only used when perl is started with
+the B<-d> switch with no arguments. PERL5DB is respected even in
+taint mode, so you should never use a bare B<-d> switch on the shebang
+line of a setuid program.
=item PERL5DB_THREADED
X<PERL5DB_THREADED>
--
1.5.2.2
From 95261a24bbedf06997f0e86f2562ba6c9084c589 Mon Sep 17 00:00:00 2001
From: Paul Fenwick <pjf@perltraining.com.au>
Date: Tue, 24 Jun 2008 13:45:31 +1000
Subject: [PATCH] PERL5DB and taint isn't completely evil.
Because PERL5DB is only used when Perl is invoked with a bare -d switch,
it doesn't represent an additional threat, since finding a setuid program
with a bare -d already lets you run arbitary code.
---
pod/perlrun.pod | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/pod/perlrun.pod b/pod/perlrun.pod
index 4bfa1d8..2a53ec7 100644
--- a/pod/perlrun.pod
+++ b/pod/perlrun.pod
@@ -1131,9 +1131,7 @@ The command used to load the debugger code. The default is:
BEGIN { require 'perl5db.pl' }
The PERL5DB environment variable only used when perl is started with
-the B<-d> switch with no arguments. PERL5DB is respected even in
-taint mode, so you should never use a bare B<-d> switch on the shebang
-line of a setuid program.
+a bare B<-d> switch.
=item PERL5DB_THREADED
X<PERL5DB_THREADED>
--
1.5.2.2
- Follow-Ups from:
-
"Rafael Garcia-Suarez" <rgarciasuarez@gmail.com>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]