Have a look at Use strict warnings and diagnostics or die and perlman:perlsec.
Read up on taint mode.
Read Ovid's CGI tutorial - there is a link on his homenode.
I know that you're trying to do this by calling gpg directly, but you might also want to have a look at CPAN, there is a GnuPG::Interface module. The docs appear quite good.
(Update: There is also the Crypt::PGP5 module if your final target system only has PGP available.
Even more impressive is the Crypt::OpenPGP module that arhuman recently mentioned).
There are a number of small errors in your code - have another look at perldoc CGI.
Also, if you're going to use CGI, you're as well using more/all of it's functionality.
Start with:
#!/usr/bin/perl -wT #use warnings and use taint mode. use strict; use CGI qw/:standard/; use GnuPG::Interface; my $q = new->CGI; my $tainted_plain_str = $q->param('plainStr'); my $plain_str = # insert code to untaint $tainted_plain_str print $q->header; print $q->start_html('A webpage'); # Do your stuff with GnuPG::Interface. # Print out your encrypted string. print $q->end_html;
Note, I've not been doing this all that long, so check the code I've posted - it's untested.
If you're sufficiently concerned about you data that you're going to be encrypting it with something like GPG, then you should be paranoid when it comes to coding this script (if you absolutely have to do things this way).
There are plenty nodes about security: Think beyond Taint and warnings, Stay aware of security and (OT) Security Rant are all good starters. Use Super Search to look for nodes relating to CGI, PGP/GPG and the like.
Hope it helps.
BazB.
Update: Added more nodes and a suggestion that sometimes paranoia can be a Good Thing(tm).
In reply to Re: Get output from an external program
by BazB
in thread Get output from an external program
by jholtzman
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |