[vox-tech] Need help securing a simple perl CGI

Henry House vox-tech@lists.lugod.org
Tue, 19 Feb 2002 16:27:00 -0800


--yNb1oOkm5a9FJOVX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Feb 17, 2002 at 10:26:28PM -0800, Ryan wrote:
> This is a perl cgi script I wrote to allow me to have large html files on=
 my=20
> web host without exceeding my storage quota.
>=20
> I'd like it looked at, _I_ can no longer abuse it to run random commands =
or=20
> go where I shouldn't, but that doesn't mean others can'.
>=20
> Any other feedback would also be great.

This is not a direct comment on your script, but will help in such
situations. My suggestion: use perl's taint mode, which turns on a paranoid
security system within the perl interpreter. Unsafe operations (such as
opening a file whose name came from CGI input) remain possible, but must be
specifically cleared by calls to the taint mechanism, which minimizes
accidental security breaches. Highly recommended. See perlsec(1).

--=20
Henry House
The attached file is a digital signature. See <http://romana.hajhouse.org/p=
gp>
for information.  My OpenPGP key: <http://romana.hajhouse.org/hajhouse.asc>.

--yNb1oOkm5a9FJOVX
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8cu1UKK1cAVjXujwRAuYzAKC+COfOLU80hdItxB/nR0vW9ur0ugCgop60
UPZtYgyQ0rqQ7Y5OUbtaev4=
=Teo2
-----END PGP SIGNATURE-----

--yNb1oOkm5a9FJOVX--