Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Deleting windows environment variables

by qadwjoh (Scribe)
on Aug 19, 2004 at 09:28 UTC ( #384224=perlquestion: print w/ replies, xml ) Need Help??
qadwjoh has asked for the wisdom of the Perl Monks concerning the following question:

Hi

I'm writing a CGI script to run on Windows (2000 Server to be precise) and I was thinking of deleting environment variables when the script starts, for extra security.

Does anyone have any suggestions on what I should delete?

thanks,
A

Comment on Deleting windows environment variables
Re: Deleting windows environment variables
by TStanley (Canon) on Aug 19, 2004 at 09:54 UTC
    Check out Ovid's CGI course for some very good advice.

    TStanley
    --------
    The only thing necessary for the triumph of evil is for good men to do nothing -- Edmund Burke
      Is there Windows specific advice in this guide? I couldn't seem to find any.

      thanks,
      A

        Firstly you have to know what environment variables are presented to a CGI program on windows that differ from those on other platforms - you can determine this by running something like:

        #!perl -w use CGI qw(:standard); print header, start_html; foreach $var (keys %ENV ) { print "$var : $ENV{$var}<br />\n"; } print end_html;
        On IIS 5.0 with w2k I get:
        USERPROFILE : C:\Documents and Settings\Default User SCRIPT_NAME : /test.pl PATH_INFO : /test.pl OS2LIBPATH : C:\WINNT\system32\os2\dll; REQUEST_METHOD : GET HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* COMMONPROGRAMFILES : C:\Program Files\Common Files SERVER_SOFTWARE : Microsoft-IIS/5.0 PROGRAMFILES : C:\Program Files OS : Windows_NT PATHEXT : .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; . +NET CLR 1.1.4322) HTTP_ACCEPT_LANGUAGE : en-gb NUMBER_OF_PROCESSORS : 1 LOCAL_ADDR : 127.0.0.1 PATH : C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Fi +les\Microsoft SQL Server\80\Tools\BINN GATEWAY_INTERFACE : CGI/1.1 INCLUDE : C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\ +include\ HTTPS : off REMOTE_HOST : 127.0.0.1 PROCESSOR_ARCHITECTURE : x86 PATH_TRANSLATED : c:\inetpub\wwwroot\test.pl SERVER_NAME : localhost TEMP : C:\WINNT\TEMP HTTP_ACCEPT_ENCODING : gzip, deflate SYSTEMDRIVE : C: HTTP_CONNECTION : Keep-Alive PROCESSOR_REVISION : 0308 VS71COMNTOOLS : C:\Program Files\Microsoft Visual Studio .NET 2003\Com +mon7\Tools\ SYSTEMROOT : C:\WINNT CONTENT_LENGTH : 0 INSTANCE_ID : 1 COMSPEC : C:\WINNT\system32\cmd.exe WINDIR : C:\WINNT SERVER_PORT_SECURE : 0 PROCESSOR_LEVEL : 15 SERVER_PORT : 80 REMOTE_ADDR : 127.0.0.1 SERVER_PROTOCOL : HTTP/1.1 PROCESSOR_IDENTIFIER : x86 Family 15 Model 3 Stepping 8, GenuineIntel LIB : C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\ ALLUSERSPROFILE : C:\Documents and Settings\All Users COMPUTERNAME : VM-DEV-US HTTP_HOST : localhost TMP : C:\WINNT\TEMP
        Now obviously some of these are going to be needed for the proper operation of the CGI, and some are just set by windows for the convenience of the application. Of course most of the superfluous ones here will have no affect whatsoever on the operation of a Perl program and just so long as you aren't letting them leak out into the outside world then they shouldn't be a problem. The standard sanitising of PATH should generally be enough. The ones that are windows specific and can be got rid of in their entirety are:
        USERPROFILE OS2LIBPATH COMMONPROGRAMFILES PROGRAMFILES OS PATHEXT NUMBER_OF_PROCESSORS INCLUDE PROCESSOR_ARCHITECTURE TEMP SYSTEMDRIVE PROCESSOR_REVISION VS71COMNTOOLS SYSTEMROOT INSTANCE_ID COMSPEC WINDIR PROCESSOR_LEVEL PROCESSOR_IDENTIFIER LIB ALLUSERSPROFILE COMPUTERNAME TMP
        Of course those on your machine will almost certainly be different.

        And before anyone chimes in, no I don't believe it is a security risk to be showing the contents of these variables as a) they are not giving away any secrets and, b) the machine is on a private network behind a firewall.

        /J\

Re: Deleting windows environment variables
by Chady (Priest) on Aug 19, 2004 at 11:52 UTC

    Instead of looking for what to delete, why not keep only what you want ?

    BEGIN { my %e = %ENV; %ENV = ( PATH_INFO => $e{PATH_INFO}, QUERY_STRING => $e{QUERY_STRING}, REMOTE_ADDR => $e{REMOTE_ADDR}, etc... ); }

    He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.

    Chady | http://chady.net/
Re: Deleting windows environment variables
by davido (Archbishop) on Aug 19, 2004 at 15:55 UTC

    %ENV may also be localized:

    { local %ENV; # Old %ENV saved away in case you need it # outside this scope. %ENV = ( ...... ); # Create your own custom %ENV. # Most of your script here... } # Here, %ENV will be restored to the original, in case you need # it for something else.

    Dave

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://384224]
Approved by TStanley
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (4)
As of 2014-08-30 20:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (293 votes), past polls