
jaychan
New User
Aug 28, 2013, 11:16 AM
Post #1 of 3
(2351 views)
|
Cannot Call OSQL from Perl/CGI with Taint Check
|
Can't Post
|
|
I find that I cannot call OSQL from a CGI script that is written in Perl. I have many CGI scripts in Perl. Those Perl scripts use system() function to call OSQL.EXE (that is a command line interface of Microsoft SQL Server). For security reason, I turn ON the taint check mode in Perl. They have been working trouble free for many years. Recently, I need to install Apache/Perl in a Windows 2003 Server that is in 64-bit. Because the server is in 64-bit, I am forced to upgrade Perl from the tried-and-true 5.6.1 to the new 5.12.3.0. That was when the problem starts. I find that the Perl/CGI script cannot use system() function to call OSQL.EXE. The call fails. I have tracked down the problem has to do with taint-check and the $ENV{PATH}: 1. If I run a Perl script (not a CGI) from command line, it has no problem calling OSQL.EXE. 2. If I run a Perl/CGI script in taint check mode, and ask it to call a DOS command like "ECHO" and I specify "C:\Windows\System32" in $ENV{PATH}, it has no problem doing this. 3. If I run a Perl/CGI script without taint check, and ask it to call OSQL.EXE, it has no problem doing this, and I don't need to touch the $ENV{PATH}. 4. However, if I run the same Perl/CGI script with the taint check mode turned ON, and ask it to call OSQL.EXE, it will fail regardless how I set the $ENV{PATH}. I have tried various combinations of the following two paths, none work: C:\Windows\System32 C:\Program Files (x86)\Microsoft SQL Server I have tried only the Sys32 path. I have tried only the SQL path. I have tried no path. And I have tried having both paths in $ENV{PATH}. None work. I believe the problem has to do with the use of system() function to call OSQL.EXE requires the access of two folders (Sys32 folder for system() and SQL folder for OSQL.EXE) in taint check mode. But the $ENV{PATH} only allows one single path in taint check mode. I don't understand why the script works fine in the older version of Perl, but not in the new version. I remember I had the same problem when I tried to upgrade to 5.8.0, and I was forced to downgrade back to 5.6.1. Now, I cannot put it off for another day any more. The only workaround that I know of is to turn OFF the taint check mode. But I don't like this because those Perl/CGI scripts may be used outside the company in the future (they run in intranet for now). Attached please find a Perl/CGI script that tries to use system() function to call OSQL.EXE in taint check mode. It tries to do this with both Sys32 folder and SQL folder in $ENV{PATH}. Unfortunately, it doesn't work. Would you please tell me if there is a solution to this problem? Thanks in advance. Jay Chan
|