RE: can CGI Servlet handle Perl taint checking?

[Mark Thomas <ma...@apache.org>]

> > -----Original Message-----
> > From: Larry Levin [mailto:ljlevin@criticalArchitectures.com] 
> > Sent: Thursday, May 27, 2004 4:59 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: can CGI Servlet handle Perl taint checking?
> > 
> > Hi;
> > 
> > I am trying to get Bugzilla to work with Tomcat and have run into a 
> > problem. The latest stable release of Bugzilla (2.16) has 
> implemented 
> > "taint checking" in all of the CGI perl scripts as a security 
> > feature. 
> > When I attempt to access Bugzilla via Tomcat, I get a message 
> > in the log 
> > file from the CGI servlet that its too late to turn on the 
> > "-T" option.
> > 
> > The problem as I understand it, is that the perl executable must be 
> > started up with taint checking enabled if the scripts are going to 
> > invoke it. Is there any way I can set an option in Tomcat 
> to have the 
> > CGI servlet properly handle this aspect of perl?
Not explicitly but try setting the "executable" parameter to "perl -T" rather
than "perl". No idea if this will work.

> > Does it matter whether 
> > I run Tomcat 4.1 or 5.0 ?
TC4 and TC5 use exactly the same GCI servlet so it doesn't matter which one you
use.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org