CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Intermediate:
Cannot Call OSQL from Perl/CGI with Taint Check

 



jaychan
New User

Aug 28, 2013, 11:16 AM

Post #1 of 3 (685 views)
Cannot Call OSQL from Perl/CGI with Taint Check Can't Post

I find that I cannot call OSQL from a CGI script that is written in Perl.

I have many CGI scripts in Perl. Those Perl scripts use system() function to call OSQL.EXE (that is a command line interface of Microsoft SQL Server). For security reason, I turn ON the taint check mode in Perl. They have been working trouble free for many years.

Recently, I need to install Apache/Perl in a Windows 2003 Server that is in 64-bit. Because the server is in 64-bit, I am forced to upgrade Perl from the tried-and-true 5.6.1 to the new 5.12.3.0. That was when the problem starts. I find that the Perl/CGI script cannot use system() function to call OSQL.EXE. The call fails.

I have tracked down the problem has to do with taint-check and the $ENV{PATH}:

1. If I run a Perl script (not a CGI) from command line, it has no problem calling OSQL.EXE.

2. If I run a Perl/CGI script in taint check mode, and ask it to call a DOS command like "ECHO" and I specify "C:\Windows\System32" in $ENV{PATH}, it has no problem doing this.

3. If I run a Perl/CGI script without taint check, and ask it to call OSQL.EXE, it has no problem doing this, and I don't need to touch the $ENV{PATH}.

4. However, if I run the same Perl/CGI script with the taint check mode turned ON, and ask it to call OSQL.EXE, it will fail regardless how I set the $ENV{PATH}. I have tried various combinations of the following two paths, none work:
C:\Windows\System32
C:\Program Files (x86)\Microsoft SQL Server
I have tried only the Sys32 path. I have tried only the SQL path. I have tried no path. And I have tried having both paths in $ENV{PATH}. None work.

I believe the problem has to do with the use of system() function to call OSQL.EXE requires the access of two folders (Sys32 folder for system() and SQL folder for OSQL.EXE) in taint check mode. But the $ENV{PATH} only allows one single path in taint check mode.

I don't understand why the script works fine in the older version of Perl, but not in the new version. I remember I had the same problem when I tried to upgrade to 5.8.0, and I was forced to downgrade back to 5.6.1. Now, I cannot put it off for another day any more.

The only workaround that I know of is to turn OFF the taint check mode. But I don't like this because those Perl/CGI scripts may be used outside the company in the future (they run in intranet for now).

Attached please find a Perl/CGI script that tries to use system() function to call OSQL.EXE in taint check mode. It tries to do this with both Sys32 folder and SQL folder in $ENV{PATH}. Unfortunately, it doesn't work.

Would you please tell me if there is a solution to this problem?

Thanks in advance.

Jay Chan


jaychan
New User

Aug 28, 2013, 12:43 PM

Post #2 of 3 (682 views)
Re: [jaychan] Cannot Call OSQL from Perl/CGI with Taint Check [In reply to] Can't Post

I think I find out the solution. The path to OSQL.EXE has to be very specific. This means instead of this:

C:\Program Files (x86)\Microsoft SQL Server

The path has to be this:

C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn

It has to get down to the folder where OSQL.EXE file is stored.

I am glad that this is fixed.

Jay Chan


jaychan
New User

Aug 28, 2013, 1:07 PM

Post #3 of 3 (678 views)
Re: [jaychan] Cannot Call OSQL from Perl/CGI with Taint Check [In reply to] Can't Post

I still don't understand why the Perl/CGI scripts have been working for so many years in the older version of Perl without setting $ENV{PATH} to the SQL\Bin folder. But I just have to apply the fix to all the Perl/CGI scripts.

Jay Chan

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives