«

Hello.

I have to use a long perl script which use the "tainted mode" (-T
option), but the hoster we use doesn't allow this option unless on
dedicated server (and, of course, we can't pay a dedicated server).

What I have to do to remove the tainted mode in the script ?

I'm using PERL sometimes, but don't know very well what implies this
"tainted mode" option. However, I suppose removing the "-T" on bash line
isn't enough

Could you tell me, please.

Azol <azol@non-non-non> writes:

> Hello.
>
> I have to use a long perl script which use the "tainted mode" (-T
> option), but the hoster we use doesn't allow this option unless on
> dedicated server (and, of course, we can't pay a dedicated server).

Very strange. You might consider looking for another hosting
company. I've never heard of anything like that.

> What I have to do to remove the tainted mode in the script ?

Just remove the -T option. That's really all it takes (taint mode can
only be enabled at the very start of the program).

--
Joost Diepenmaat | blog: http://joost.zeekat.nl/ | work: http://zeekat.nl/

Azol <azol@non-non-non> wrote:

> I'm using PERL sometimes,

Perl is not an acronym; perl is the name of the executable that runs your
Perl program.

> but don't know very well what implies this
> "tainted mode" option.

perldoc -q taint
which points to "Laundering and Detecting Tainted Data" in perlsec
(i.e. perldoc perlsec )

"
This flag is *strongly* suggested for server programs and any program
run on behalf of someone else, such as a CGI script. Once taint mode is
on, it's on for the remainder of your script.
"

--
John http://johnbokma.com/ - Hacking & Hiking in Mexico

Perl help in exchange for a gift:
http://johnbokma.com/perl/help-in-ex...or-a-gift.html

On Sep 22, 1:17 pm, Azol <azol@non-non-non> wrote:
> Hello.
>
> I have to use a long perl script which use the "tainted mode" (-T
> option), but the hoster we use doesn't allow this option unless on
> dedicated server (and, of course, we can't pay a dedicated server).
>
> What I have to do to remove the tainted mode in the script ?
>
> I'm using PERL sometimes, but don't know very well what implies this
> "tainted mode" option. However, I suppose removing the "-T" on bash line
> isn't enough
>
> Could you tell me, please.

On a shared server it is quite reasonable for the CGI to run tainted.
Read perlsec for information on untainting received parameters and
what is not allowed. If you post the failing code, we could suggest
proper ways to do what you want.

--S

Azol <azol@non-non-non> wrote:
> Hello.
>
> I have to use a long perl script which use the "tainted mode" (-T
> option), but the hoster we use doesn't allow this option unless on
> dedicated server (and, of course, we can't pay a dedicated server).


I would consider finding another host. They seem to have things backwards.
If I'm sharing a server with random other people, I want them to be forced
to use -T, not forbidden from it.


> What I have to do to remove the tainted mode in the script ?

Remove the -T.

> I'm using PERL sometimes, but don't know very well what implies this
> "tainted mode" option. However, I suppose removing the "-T" on bash line
> isn't enough

If it isn't, then I have no idea what is going on. It is probably a
weirdness peculiar to your hosting environment.


Xho

--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.

Azol wrote:

> Hello.
>
> I have to use a long perl script which use the "tainted mode" (-T
> option), but the hoster we use doesn't allow this option unless on
> dedicated server (and, of course, we can't pay a dedicated server).
>
> What I have to do to remove the tainted mode in the script ?
>
> I'm using PERL sometimes, but don't know very well what implies this
> "tainted mode" option. However, I suppose removing the "-T" on bash
> line isn't enough
>
> Could you tell me, please.

What do you mean that your host won't allow you to use Taint mode? Do
you mean they don't allow Perl, or actually don't allow you to use
Taint mode? That seems crazy, are you sure that's the case and there
wasn't some misunderstanding about the question or feature? I can't
imagine anyone in their right mind denying a user from using a switch
that helps keep your site (and by proxy, their service your site runs
on) from being exposed to problems with a potentially insecure portion
of your code? Is your script perhaps set to run in the background,
launching a child process or something? This is a really strange thing
to hear.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Azol wrote:

> Hello.
>
> I have to use a long perl script which use the "tainted mode" (-T
> option), but the hoster we use doesn't allow this option unless on
> dedicated server (and, of course, we can't pay a dedicated server).
>
> What I have to do to remove the tainted mode in the script ?
>
> I'm using PERL sometimes, but don't know very well what implies this
> "tainted mode" option. However, I suppose removing the "-T" on bash
> line isn't enough
>
> Could you tell me, please.

Also, and this isn't something I'd usually suggest, if you plan to stay
with a host that (if what you say is true), is truly clueless enough to
not allow Taint to be used, then look here and upload the following:
http://www.cpan.org/modules/by-module/Taint/ and call that in your
script. I still get the impression that whatever tech representative
you spoke with or emailed at your host, likely didn't understand your
question, but if it fails with Taint mode on, be sure it's not your
script that's causing it to fail, and be sure they really don't allow
this to be switched on, because that is very strange.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

On Mon, 22 Sep 2008 19:17:48 +0200, Azol wrote:
> I have to use a long perl script which use the "tainted mode" (-T
> option), but the hoster we use doesn't allow this option unless on
> dedicated server (and, of course, we can't pay a dedicated server).

I'm curious; what happens if you run a trivial CGI program with -T on this
host? Because I can't figure out how they would prohibit -T without
building perl from a customized source, and I cannot fathom a
justification for doing so.

--
Peter Scott
http://www.perlmedic.com/
http://www.perldebugged.com/

Peter Scott <> writes:

> I'm curious; what happens if you run a trivial CGI program with -T on this
> host? Because I can't figure out how they would prohibit -T without
> building perl from a customized source

They could be running them in mod_perl's CGI emulation. Taint mode
must be specified when the interpreter is started. So if you have a
script that's running in Apache::Registry that has a -T in the #!
line, and the sysadmin hasn't enabled Taint mode globally with the
"PerlTaintCheck On" directive in httpd.conf, then you'll get a warning
to the effect that it's too late to use -T.

Come to think of it, you might get that warning whether Taint mode is
enabled globally or not - I've never tried using -T when it's already
been enabled with PerlTaintCheck.

sherm--

--
My blog: http://shermspace.blogspot.com
Cocoa programming in Perl: http://camelbones.sourceforge.net

In article <CJZBk.113$>, says...
> Azol wrote:
>
> > Hello.
> >
> > I have to use a long perl script which use the "tainted mode" (-T
> > option), but the hoster we use doesn't allow this option unless on
> > dedicated server (and, of course, we can't pay a dedicated server).
> >
> > What I have to do to remove the tainted mode in the script ?
> >
> > I'm using PERL sometimes, but don't know very well what implies this
> > "tainted mode" option. However, I suppose removing the "-T" on bash
> > line isn't enough
> >
> > Could you tell me, please.
>
> What do you mean that your host won't allow you to use Taint mode? Do
> you mean they don't allow Perl, or actually don't allow you to use
> Taint mode? That seems crazy, are you sure that's the case and there
> wasn't some misunderstanding about the question or feature? I can't
> imagine anyone in their right mind denying a user from using a switch
> that helps keep your site (and by proxy, their service your site runs
> on) from being exposed to problems with a potentially insecure portion
> of your code? Is your script perhaps set to run in the background,
> launching a child process or something? This is a really strange thing
> to hear.
>

Thanks to all of you : it's very cool to get all of your returns

Yes, it's the reply of their support : remove the -T option : oops
Their site is http://www.1and1.fr/

Also, effectively, the script manage a child process : what do you think
about that ?