A few of my own comments. These probably won't be all-inclusive with any potential issues you may face, but just what's on the top of my head:
  1. In my opinion, yes. The only things you should place in or under cgi-bin are items you want the casual browser to be able to execute. Modules do not fit this category, and the casual user may attempt to execute one as a CGI script, causing potentially unexpected things to happen.
  2. /cgi-bin/ in a way is not outside your document tree. True, they won't be able to hit it and retrieve the contents of the files, but an attempt to execute it may be made. More on this in a bit.
  3. I'm not quite sure I understand. You have scripts that are called from other scripts (e.g. via system) and are independently called as normal CGI scripts? I guess you don't have much of a choice but to put them in your cgi-bin directory then...? Unless:
  4. Unless config.pl is something that you expect to be run as a CGI script independently, it should probably be placed someplace where it can't be run as such. A local "library" directory seems optimum.
  5. Are you talking about @INC or $ENV{PATH}? Your PATH environment variable only affects what items will be run via your system or qx// statements, when the shell has to examine the path to see if it can find the binary you're talking about. Generally, with 'secure' programs, you want to set your PATH explicitely to something sane (like "/bin:/usr/bin") and when you do any system/qx// calls, do so using absolute path names so the shell doesn't have to go hunting. If you're talking about @INC, you should probably specify an absolute path name. What if you move your script later to a subdirectory of cgi-bin? You'll have to re-tool your scripts to point to a different relative path. Just give it an absolute path to, say, /httpd/locallib in the first place and you'll be fine.
In addition, data files need to be kept out of your executable/retrievable space (in, say, your locallib directory), especially in cases where the user can provide a filename for a specific data file (which, presumably, you'd untaint with /(\w+)/ or similar).

In reply to Re: Understanding Secure File Organization by Fastolfe
in thread Understanding Secure File Organization by footpad

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.