DigitalKitty has asked for the wisdom of the Perl Monks concerning the following question:

Hi all.
I read the following in a Perl/CGI text but the author didn't elaborate on *why* it should be done.


$ENV{PATH} = "/bin:/usr/bin";
delete @ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' };

[download]

When programmers use the phrase 'Sanitizing...', are they referring to doing this? I would like to make my perl scripts as secure as possible and aside from turning taint mode on, I'm not sure what else needs to be done.
Thanks in advance,
-DigitalKitty

Replies are listed 'Best First'.
(Ovid) Re: CGI security.
by Ovid (Cardinal) on Mar 25, 2002 at 20:40 UTC

    Though it's not easy to find, the answer is here. I also have a brief overview of CGI security at my CGI course.

    To summarize the problem with those particular environment variables, though: they change the way your shell behaves, so if you interact with the shell at all, you want your system's behavior to be predictable. However, read the link I provided and you'll have a good understanding of the basics.

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
Re: CGI security.
by shotgunefx (Parson) on Mar 25, 2002 at 20:41 UTC
    From perlsec.
    "The PATH isn't the only environment variable which can cause problems. Because some shells may use the variables IFS, CDPATH, ENV, and BASH_ENV, Perl checks that those are either empty or untainted when starting subprocesses. You may wish to add something like this to your setid and taint-checking scripts."

    -Lee

    "To be civilized is to deny one's nature."
[reply]
Re: CGI security.
by cjf (Parson) on Mar 25, 2002 at 21:51 UTC
[reply]

Back to Seekers of Perl Wisdom