[Bioperl-l] CGI taint solved

Stefan Kirov stefan.kirov at bms.com
Wed Feb 28 15:35:31 UTC 2007


Neil, I believe this is your situation:
http://wn.cyberwerks.com/2000/0411.html
my advice: any commands executed from within cgi script should have a 
path hardcoded whenever possible.
If those commands require different path, try writing a wrapper shell 
script that sets the environment (which should be reset to the default 
once the shell script terminates). It all also depends on the type of 
environment you have- it it is not secure you may wish to think hard how 
to eliminate all security loopholes with CGI, I am definitely not an 
expert on this.
Stefan

Chris Fields wrote:
> That could possibly clobber any other program calls from within the  
> same script (unless they reside in /usr/local/bin) since you're  
> explicitly assigning PATH, not appending:
>
> $ENV{"PATH"} = '/usr/local/bin';
>
> gets me (printing $ENV{"PATH"}):
>
> /usr/local/bin
>
> whereas this:
>
> $ENV{"PATH"} = '/usr/local/bin:' . $ENV{"PATH"};
>
> gets me:
>
> /usr/local/bin:/Users/cjfields/bin:/Users/cjfields/dart/bin:/usr/ 
> local/mysql/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin
>
> There's probably a File::* module that does this safely per OS flavor.
>
> chris
>
> On Feb 28, 2007, at 4:50 AM, Neil Saunders wrote:
>
>   
>> Apologies for running a one-man thread, but I realised that I've  
>> now answered my
>> own question regarding errors with CGI, Bio::Factory::EMBOSS and  
>> taint.
>>
>> Given that the EMBOSS binaries are in /usr/local/bin, adding:
>>
>> $ENV{'PATH'} = '/usr/local/bin'
>>
>> near the top of the script does the trick.
>>
>>
>> Neil
>> -- 
>>   School of Molecular and Microbial Sciences
>>   University of Queensland
>>   Brisbane 4072 Australia
>>
>> http://nsaunders.wordpress.com
>>
>> _______________________________________________
>> Bioperl-l mailing list
>> Bioperl-l at lists.open-bio.org
>> http://lists.open-bio.org/mailman/listinfo/bioperl-l
>>     
>
> Christopher Fields
> Postdoctoral Researcher
> Lab of Dr. Robert Switzer
> Dept of Biochemistry
> University of Illinois Urbana-Champaign
>
>
>
> _______________________________________________
> Bioperl-l mailing list
> Bioperl-l at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/bioperl-l
>
>   




More information about the Bioperl-l mailing list