Yes, it’s true. Not only are some hosts ignorant and unskilled in this area, but it seems that some are unwilling to take steps to improve security of their servers or their client’s scripts. Believe it. Worse, is some will even disable security measures, and for no good reason. I don’t mean for the sake of client friendly/open to any feature/service on the server without restrictions to “annoy” clients by giving up security policies or being lax, but actually where a poster on a usenet newsgroup was reporting a problem where when they tried to use Taint mode in their CGI script coded in Perl, that it would error. We all thought they must be mistaken, this would have to be an intentional action and a specialized build, and for what reason?

Just to remove a specific security feature to help clients code and use more secure scripts? This isn’t even forced on anyone, it’s simply an option in Perl to watch and warn or error in case of really bad, really insecure functions/practices. Yet, this host insisted they didn’t offer it and wouldn’t, and that they had disabled it, as it was their policy. This made everyone reading the thread take a double take and just ask why. Questions pondered with no rightful or sensible answers. It’s unimaginable that a web hosting provider, whom is supposed to specialize in this field, would intentionally remove a security feature that doesn’t whatsoever hinder the client’s experience or options, and is just intended to help them code more secure scripts, but only if they want to use it by specifically adding the switch -T in their shebang line (or calling a module). This is crazy, but it’s true.

Some hosts are more than just lazy or unwilling, but some apparently make actual efforts to make their systems and clients less secure. I’m still left pondering this. The only conclusion is that perhaps they are running mod_perl’s CGI emulation and since the Apache process CGI emulation has the global environment, that by the time they called it in their own script, it would warn that it was “too late” to use it and get an error to that effect. Still, it sounds like that’s not the case. I don’t usually encourage people to seek a different hosting provider, but in this case, that provider can only be bad news. I don’t get why people wouldn’t care about security, but to go as far as to disable good, default security options in the Perl interpreter, I’ll never understand that and find it even more troubling.