Taint and Too late for "-T" option

I was wondering if someone could tell me about Taint and using it in a Perl script. I have read up on it and basically I understand that Taint marks data that flows into the program as tainted so that the data cannot be used to access anything outside the scope of the program etc.

Next I tried to use Taint by including

#!/usr/bin/perl -T

at the top of my perl script. I then received the error

Too late for "-T" option

I then tried calling my perl script from a web page

action="myScript.pl -T"

but of course this didn't work either.

So, is Taint used out there? It is important to use? Is it costly? (will it slow down my script?)

If I should use it how do I do so? I'm calling the script from a web page.

Thanks for the help.

It is important for security purposes. When the data is marked, the idea is that nothing else will use it.

The 'Too late for "-T" option is what happens when you run your script from the command line. If you want to do that, then remove the option from your shebang line and pass it in from your command line:


Otherwise, simply having it on your shebang line should allow you to call the script from a browser with taint checking enabled.

Actually I got the

Too late for "-T" option

error when I included -T on the shebang line.

#!/usr/bin/perl -T

I'm using Apache.

That's why I said remove it when you are running the script from the command line.

Leave it on the shebang line if you are calling it from your browser.

If you want to call your script from the command line do it like so:

and your shebang line should read:

I have never called it from the command line or intend to do so. I got the error while trying to call it from a web page NOT from the command line.

Copied from :
http://www.perldoc.com/perl5.6/pod/...%20-T%20options




Therefore me guesses:

You may be using mod perl and it is invoked without the taint.
Once the she bang is processed the interpreter fails.


Look for perl and mod perl documentation for your version and
how to enable taint.

Hope this helps

Removing "-T" from the shebang line wouldn't be the best solution if you want to run a taint-checked perl script from the command line.

You can just run the script with the -T option enabled in your perl interpreter at compile time, thusly:

perl -T yourscript.pl

Taking taint out of your script is the wrong way to fix it. What it does is keep track of data that comes into the script and make sure you don't use it anywhere that you could compromise security without double-checking what's in the user submitted data. This is, undoubtedly, a good thing for a script to have, it's like a built-in, free, unblinking security audit!

Say you have a script that passes user-submitted data to a "whois" command on your server to allow your visitors to do a whois query. The code in your perl script MIGHT look like this:

my $output = `whois $userdata`;

Now say a malicious user types " & rm -Rf / " into the whois query. Without taint checking enabled in your script, this would just pass right through and delete everything owned by nobody (or whatever your webserver runs as). Same principle applies to a windows server too. Taint checking watches the data to make sure you don't send anything out before you've validated it. A Good Thing.

On the "too late for taint" error your getting from the browser: It does sound like mod_perl is handling the script. You should find out under what circumstances mod_perl is set up to be the handler: Usually for a specific extension or for files in a specific directory.

Good Luck!!

Again, I'm not calling perl from the command line. Who does this anyway? I am invoking a Perl Script from a web browser by going to a http://www.mysite.myscript.pl

I'm using a local Apache web server and I'm NOT using mod_perl. I still get the "too late" error. Maybe I should wake up earlier in the morning :-)

My script looks like this...

#!/usr/bin/perl -T
require 5.003;

require "cgi-lib.pl";
require "file1.pl";
require "file2.pl";
require "file3.pl";
require "file4.pl";

Can anyone show me an example of using Taint. NOT FROM THE COMMAND LINE BUT FROM THE WEB INVOKING IT.

Thanks

I agree you are not running this command line.


I just tried off the web :


And no error off the web.

but for the same file on command line:


And :


Yeilds no error as the Taint is called first, even before perl looks at the shebang -T.


You have : require 5.003;

I have : perl, v5.6.0 built for MSWin32-x86-multi-thread.

So There must be a configuration where perl is being called without taint and then runs your script with a -T and complains
at this point.

Hope this gets you a little closer to the answer.

Running a script from the command line is one of the absolute best ways to debug a script. If you develop CGIs without running them from the command line to test them, you are causing yourself much more work than needed.

I understood that you weren't running it from the command line. Without knowing your specific server information or the content of your specific scripts, it is impossible to help you beyond pointing you to documentation.

Good luck!