Search the Catalog
CGI Programming on the World Wide Web

CGI Programming on the World Wide Web

By Shishir Gundavaram
1st Edition March 1996





This book is out of print, but it has been made available online through the O'Reilly Open Books Project.


Previous Appendix A
Perl CGI Programming FAQ
Next
 

A.5 Security

Is a Perl CGI program more or less secure than a shell or C one?

The answer to this is: A CGI program is prone to security problems no matter what language it is written in!

What particular security concerns should I be aware of?

Never expose any form of data to the shell. All of the following are possible security holes:

open (COMMAND, "/usr/ucb/finger $form_user");
system ("/usr/ucb/finger $form_user");
@data = `usr/ucb/finger $form_user`;

See more examples in the following answers. You should also look at:

WWW Security FAQ (by Lincoln Stein) (http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html)

CGI Security FAQ (by Paul Phillips) (http://www.cerf.net/~paulp/cgisecurity/safe-cgi.txt)

How can I call a program with backtics securely? Is it true that:

@ans = `grep '$user_field' some.file`;  

is insecure?

Yes! It's very dangerous! Imagine if $user_field contains:

; rm -fr / ;  

An equivalent to the above command is:

if (open (GREP, "-|")) {
    @ans = <GREP>
} else {
    exec ("/usr/local/bin/grep", $user_field, "some.file")
        || die "Error exec'ing command", "\n";
}
close (GREP);

Is it true that /$user_variable/ is a security hole in Perl 5?

No! It's not. It's a security hole if you evaluate the expression at runtime using the eval command. Something like this is dangerous:

foreach $regexp (@all_regexps) {
    eval "foreach (\@data) { push (\@matches, \$_) if m|$regexp|o; }";
} 
 


Previous Home Next
Specific Programming Questions Book Index  

Back to: CGI Programming on the World Wide Web


oreilly.com Home | O'Reilly Bookstores | How to Order | O'Reilly Contacts
International | About O'Reilly | Affiliated Companies | Privacy Policy

© 2001, O'Reilly & Associates, Inc.