Perl CGI and taint

I’ve just emerged from an hour or so of debugging a Perl CGI script. I was trying to use the BioPerl module Bio::Factory::EMBOSS in CGI. My minimal test CGI script, cgi.pl, looked like this:

#!/usr/bin/perl -Tw
use strict;
use CGI;
use Bio::Factory::EMBOSS;

my $f = new Bio::Factory::EMBOSS;
my $cgi = new CGI;

print $cgi->header,
      $cgi->start_html,
      $cgi->end_html;

Apache doesn’t like it:

[error] [client 192.168.0.3] Premature end of script headers: cgi.pl

Strange. I followed the advice at this page and added the following immediately after the shebang line:

BEGIN {
    $|=1;
    print "Content-type: text/html\n\n";
    use CGI::Carp('fatalsToBrowser');
}

The page now loads to the point where you can read an informative error:

Insecure $ENV{PATH} while running with -T switch at /usr/local/share/perl/5.8.7/Bio/Factory/EMBOSS.pm line 251.

The offending line 251 reads:

open(WOSSOUT, "wossname -auto |") || return;

Basically, Perl doesn’t know the full path to “wossname” (an EMBOSS executable) and that makes it nervous. We’re almost there – knowing that the EMBOSS binaries are in /usr/local/bin, you add:

$ENV{'PATH'} = '/usr/local/bin';

The CGI script now runs happily with the -T switch.

And that’s how you debug Perl CGI.