| evillen@gmail.com 2005-12-08, 6:55 pm |
| Perl 5.8, WinXP
I have created the code below to test Taint mode. The testapp.exe
program is actually the standard windows "attrib.exe" but renamed and
placed in my CWD. The program as it is below works as expected, however
if swap the comments on the two $ENV{'PATH'} lines it no longer works
and reports an insecure $ENV{PATH}.
I can't understand why I need to have the windows system32 folder
included in my $ENV{PATH} for the prog to run.
If in a DOS window I reset my OS environment var PATH to simply '.'
(the CWD) the testapp.exe will run as normal in the DOS window, so why
is resetting my $ENV{PATH} to the CWD different?
Thanks
----
#!c:/perl/bin/perl.exe -wT
use strict;
use diagnostics;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use Cwd;
my $dir = getcwd();
my $q = new CGI;
print $q->header,
$q->start_html(-title => "External program"),
$q->h2("External command test");
#$ENV{'PATH'} = $dir;
$ENV{'PATH'} = ("C:\\WINDOWS\\system32");
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
my @prog1 = ("testapp.exe", "+R", "dummy.txt", "/S");
my $exit_status1 = system(@prog1);
print $q->p("My CWD is $dir"),
$q->p("My 'PATH' is $ENV{'PATH'}"),
$q->p("Exit status1: $exit_status1"),
$q->end_html;
|