CGI::Application and recent bash security hole

Christian Jaeger chrjae at gmail.com
Thu Sep 25 21:19:29 BST 2014


2014-09-25 19:36 GMT+01:00, Christian Jaeger <chrjae at gmail.com>:
> but, I actually wonder whether the usual Perl variables like PERL5LIB,
> PERL5OPT, LOGDIR, PERL5DB, PERL5SHELL etc. can't be set and misused
> through CGI.

They can't. I was being stupid, this is not a case where users can
decide on the variable names (i.e. query parameters are *not* passed
as individual env variables). As also Dagfinn has written in his post
(which arrived after I wrote mine), it will still a problem with bash
though (unless CGI.pm or so deletes or cleans the CGI env variables, I
haven't checked that).


More information about the london.pm mailing list