Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Deleting windows environment variables

by qadwjoh (Scribe)
on Aug 19, 2004 at 09:28 UTC ( #384224=perlquestion: print w/replies, xml ) Need Help??
qadwjoh has asked for the wisdom of the Perl Monks concerning the following question:


I'm writing a CGI script to run on Windows (2000 Server to be precise) and I was thinking of deleting environment variables when the script starts, for extra security.

Does anyone have any suggestions on what I should delete?


Replies are listed 'Best First'.
Re: Deleting windows environment variables
by Chady (Priest) on Aug 19, 2004 at 11:52 UTC

    Instead of looking for what to delete, why not keep only what you want ?

    BEGIN { my %e = %ENV; %ENV = ( PATH_INFO => $e{PATH_INFO}, QUERY_STRING => $e{QUERY_STRING}, REMOTE_ADDR => $e{REMOTE_ADDR}, etc... ); }

    He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.

    Chady |
Re: Deleting windows environment variables
by TStanley (Canon) on Aug 19, 2004 at 09:54 UTC
    Check out Ovid's CGI course for some very good advice.

    The only thing necessary for the triumph of evil is for good men to do nothing -- Edmund Burke
      Is there Windows specific advice in this guide? I couldn't seem to find any.


        Firstly you have to know what environment variables are presented to a CGI program on windows that differ from those on other platforms - you can determine this by running something like:

        #!perl -w use CGI qw(:standard); print header, start_html; foreach $var (keys %ENV ) { print "$var : $ENV{$var}<br />\n"; } print end_html;
        On IIS 5.0 with w2k I get:
        USERPROFILE : C:\Documents and Settings\Default User SCRIPT_NAME : / PATH_INFO : / OS2LIBPATH : C:\WINNT\system32\os2\dll; REQUEST_METHOD : GET HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* COMMONPROGRAMFILES : C:\Program Files\Common Files SERVER_SOFTWARE : Microsoft-IIS/5.0 PROGRAMFILES : C:\Program Files OS : Windows_NT PATHEXT : .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; . +NET CLR 1.1.4322) HTTP_ACCEPT_LANGUAGE : en-gb NUMBER_OF_PROCESSORS : 1 LOCAL_ADDR : PATH : C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Fi +les\Microsoft SQL Server\80\Tools\BINN GATEWAY_INTERFACE : CGI/1.1 INCLUDE : C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\ +include\ HTTPS : off REMOTE_HOST : PROCESSOR_ARCHITECTURE : x86 PATH_TRANSLATED : c:\inetpub\wwwroot\ SERVER_NAME : localhost TEMP : C:\WINNT\TEMP HTTP_ACCEPT_ENCODING : gzip, deflate SYSTEMDRIVE : C: HTTP_CONNECTION : Keep-Alive PROCESSOR_REVISION : 0308 VS71COMNTOOLS : C:\Program Files\Microsoft Visual Studio .NET 2003\Com +mon7\Tools\ SYSTEMROOT : C:\WINNT CONTENT_LENGTH : 0 INSTANCE_ID : 1 COMSPEC : C:\WINNT\system32\cmd.exe WINDIR : C:\WINNT SERVER_PORT_SECURE : 0 PROCESSOR_LEVEL : 15 SERVER_PORT : 80 REMOTE_ADDR : SERVER_PROTOCOL : HTTP/1.1 PROCESSOR_IDENTIFIER : x86 Family 15 Model 3 Stepping 8, GenuineIntel LIB : C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\ ALLUSERSPROFILE : C:\Documents and Settings\All Users COMPUTERNAME : VM-DEV-US HTTP_HOST : localhost TMP : C:\WINNT\TEMP
        Now obviously some of these are going to be needed for the proper operation of the CGI, and some are just set by windows for the convenience of the application. Of course most of the superfluous ones here will have no affect whatsoever on the operation of a Perl program and just so long as you aren't letting them leak out into the outside world then they shouldn't be a problem. The standard sanitising of PATH should generally be enough. The ones that are windows specific and can be got rid of in their entirety are:
        Of course those on your machine will almost certainly be different.

        And before anyone chimes in, no I don't believe it is a security risk to be showing the contents of these variables as a) they are not giving away any secrets and, b) the machine is on a private network behind a firewall.


Re: Deleting windows environment variables
by davido (Archbishop) on Aug 19, 2004 at 15:55 UTC

    %ENV may also be localized:

    { local %ENV; # Old %ENV saved away in case you need it # outside this scope. %ENV = ( ...... ); # Create your own custom %ENV. # Most of your script here... } # Here, %ENV will be restored to the original, in case you need # it for something else.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://384224]
Approved by TStanley
[Lady_Aleena]: My biggest problem with hashes at the moment is one with 2,501 keys.
[choroba]: how many event types are there?
[Corion]: Also I found that I can't conveniently weaken an array slot, which also is inconvenient, as I want my one-shots to disappear if the caller discards them
[Corion]: choroba: Currently two or three that my program handles (WWW::Mechanize:: Chrome), but there might be more that become interesting
[Corion]: But I don't expect more than 100 to be active at the same time, so I'm not really sure if there is a not-too-fancy data structure that is maintained with few lines of code where the performance is better than the linear scan ;)
[Corion]: But I should do a mock-up program so that others can see what I'm talking about ;)
[robby_dobby]: Corion: I hope you know all too well that passing around "fancy" datastructures is a recipe for disaster :-)
[robby_dobby]: As in, it's-too-fancy- that-it-will-be- messy-to-handle
[choroba]: bit vectors as keys?
[robby_dobby]: Hmm, I keep falling asleep at my desk, while maintaining an active appearance. Am I getting old?

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (10)
As of 2017-05-29 08:01 GMT
Find Nodes?
    Voting Booth?