RE: [MLUG] CGI security question

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "'EMAIL:PROTECTED'" <EMAIL:PROTECTED>
Subject: RE: [MLUG] CGI security question
From: "McNutt, Justin M." <EMAIL:PROTECTED>
Date: Thu, 20 Sep 2001 15:45:19 -0500
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED

> > Suppose that I have a perl CGI script.  I want to do a search using
> > regular expressions.  So I do something like
> >
> > Use CGI;
> >
> > $search = param("search");
> >
> > .....
> >
> >   /$search/
> >
> > .....
> >
> > Is this likely to be a security problem?
> 
> Answer 1: Check "man perlsec" to make sure.
> 
> Answer 2: If taint checking were enabled on this script, it 

These are both excellent suggestions.  'Man perlsec' will discuss taint
checking ad nauseum, and provides a few methods to 'clean' your variables
(some of which just defeat the taint check, but at least then it's your own
fault!).  :-)

Enable taint checking at the beginning of your script like this:

#!/usr/bin/perl -T

or better:

#!/usr/bin/perl -wT

(That keeps you from doing a few other stupid and/or dangerous things as
well.)

Note, though, that some modules from CPAN don't get along well with either
-w or -T.  Traceroute.pm, for instance, has problems with either one (I'm
gonna try to get the author to fix this, if I can't send him a patched
version myself...).

--J
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

Prev by Date: RE: [MLUG]
Next by Date: RE: [MLUG]
Previous by thread: Re: [MLUG] CGI security question
Next by thread: [MLUG] linux on a macintosh performa
Index(es):
- Date
- Thread