Taint with Perl on NT/IIS

ajt has asked for the wisdom of the Perl Monks concerning the following question:

A script I wrote for and tested with Apache on NT an Linux was recently moved to an MS IIS box. To my horror IIS would not run the script, claiming that -T was too late in the shebang line. To get the script to run, I was forced to remove the -T line.

It looks like IIS is simply running the script through Perl via the registry association: "perl.exe runs .pl files". Essentially it looks like the same error if you run the file from cmd.exe without specifying -T in the call.

Does this mean that most IIS boxes running Perl are always running with Taint off, or have their admins reconfigured NT so that Perl is always called with -T?

What is therefore the best way to write scripts so that they can be run as safely as possible and on as many platforms as possible, without having to rewrite them when they move box?

I assume that it's best to let Apache use a shebang rather than a registry association when running it on NT, see How does apache under NT find the perl interpreter?.

If I could we wouldn't be using MS IIS, but that's another story....

Comment on Taint with Perl on NT/IIS

Replies are listed 'Best First'.
Re: Taint with Perl on NT/IIS by dws (Chancellor) on Sep 25, 2001 at 22:55 UTC
Does this mean that most IIS boxes running Perl are always running with Taint off, or have their admins reconfigured NT so that Perl is always called with -T? More the latter, at least for Perl CGIs invoked through IIS. IIS figures out what to invoke for ".cgi" by looking up .cgi in the IIS scriptmap. Typically, scriptmap includes the path to perl.exe, plus placeholders for arguments (the first one of which will be the .cgi script name). Perl then processes the .cgi, sees the -T on the #! line, and complains that the -T is too late. The trick is to add -T to the .cgi entry in the scriptmap. The full answer is here. This problem has been around long enough to have inspired poetry.	[reply]
Re: Taint with Perl on NT/IIS by idnopheq (Chaplain) on Sep 25, 2001 at 22:38 UTC
Yep! Associations blow the shebang line on Win32. You can change the association to include -T, but that is now global. Better, use runperl.bat ( this one i advocate ) or pl2bat.bat to wrap the code, executing the perl interpreter w/ -T on a per-script basis ... I haven't played w/ .bat and IIS ( why are you running IIS after nimda, anyway? ) but it should work. HTH -- idnopheq Apply yourself to new problems without preparation, develop confidence in your ability to to meet situations as they arrise. ~ Shunryu Suzuki	[reply]
(Ovid) Re: Taint with Perl on NT/IIS by Ovid (Cardinal) on Sep 25, 2001 at 23:07 UTC
How this works really depends upon your IIS configuration. If you are using ActiveState Perl, there is a good chance that you are using the ISAPI dll (perlIS.dll). This dll is a memory-resident version of Perl that does not support taint checking in any configuration. Changing the association to use this dll and passing the -T switch will still kill your script. Your alternative with this is to use straight CGI, but that kills performance. Read this link regarding alternatives to taint checking for some of my research into this subject. Frankly, I'd love to hear from some monks with some experience running mod_perl on a Win32 box. That would solve the security and the performance issues. Cheers, Ovid Vote for paco! Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]
Re: Taint with Perl on NT/IIS by Moonie (Friar) on Sep 25, 2001 at 23:02 UTC
Check out CGI/Perl Taint Mode FAQ - the section on How do I activate taint mode on non-UNIX servers? - Moon	[reply]


Come for the quick hacks, stay for the epiphanies.
	PerlMonks