[GLLUG] CGI/Perl Script

[Melson, Paul]

I've got to agree 100% with Dennis here.  Any time you're passing
user-supplied data to a shell, `perl -T` is a must.  I'd recommend
normalizing your input like this:

#!/usr/bin/perl -T

use CGI qw/:standard *table/;

my $path1 = url_param('path1');

if ($path1 =~ /^([-\w.]+)$/) {
	$path1 = $1;
} else {
	die "Bad hacker, no donut!";
}


That should allow A-Za-z0-9 as well as '~' and '.' through while
untainting $path1, and cause your script to die if it detects anything
else (like a '&' or ';').  That's a pretty basic example (and the syntax
may not be perfect - I didn't test it, and I concede to being rusty),
but that's pretty much what you want to be doing with all of your user
supplied data.  Only untaint variables that have been checked against
_well-defined_ conditions.  Good luck!

PaulM

PS - What's the final purpose of your script?


-----Original Message-----
From: Dpk [mailto:dpk@egr.msu.edu]
Sent: Tuesday, August 20, 2002 10:28 AM
To: Daniel
Cc: Adam McDougall; Matt Graham; linux-user@egr.msu.edu
Subject: Re: [GLLUG] CGI/Perl Script


Personally, I would avoid using cgi-lib.pl.  It is non-standard and
isn't as scalable as CGI.pm.

#!/usr/bin/perl -T

use CGI qw/:standard *table/;

my $path1 = url_param('path1');
my $path2 = url_param('path2');

With user defined paths, make sure you use taint perl (the -T switch)
and do heavy data scrubbing before passing to the system.  If at all
possible, I would avoid using a user defined path to a file
altogether.

Adam, I'm suprised you posted this request when you have 1000s of
lines of wonderfully written CGI/perl code at your disposal here at
work :)

Dpk

_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user