comment on

Since I primarily work on Win32 systems, I cannot fork. I can simulate a fork, but since I have had little call to use it, I am not aware of its limitations. However, using fork is considered a way of ensuring greater security in your code. Since I have been doing a lot of research into CGI security, I'd like to understand this issue better.

Here's a (modified for brevity) snippet of code from page 200 of the excellent book CGI Programming with Perl, Second Edition (note that the previous link is NOT amazon.com):

my $string = $q->param( 'string' );

unless ( $string ) { error( $q, "Please enter some text." ) };
unless ( $string =~ /^[\w .!?-]+$/ ) {
    error( $q, "Invalid character entered." );
}
local *PIPE;

# This code is more secure, but still dangerous...
# Do NOT use this code on a live web server!!
open PIPE, "/usr/local/bin/figlet '$string' |" or
    die "Cannot open figlet: $!";

print $q->header( "text/plain" );
print while <PIPE>;
close PIPE;
[download]

Personally, I don't see the problem with this code, aside from the lack of taint checking. In fact, the text mentions that the code is secure, but that someone may come along and modify it in a way which opens a security hole. The book recommends replacing the command that opens the pipe with the following code:

my $pid = open PIPE, "-|";
die "Cannot fork $!" unless defined $pid;

unless ( $pid ) {
    exec FIGLET, $string or die "Cannot open pipe to figlet: $!";
}
[download]

Since I have not worked with fork in the past, I am not sure exactly what happens here. Here's what I'm trying to understand:

How does Perl know that the exec statement is working with PIPE?

exec typically terminates the current program. What exactly gets terminated with the exec and how does the data get returned?

Why is this more secure than the previous example? Couldn't someone updating the code create a security hole with a fork as easily as with the original example? If tight taint checking is employed, why would this be an issue?

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

In reply to CGI Security and Forking by Ovid

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.