I don't like that in Listing 3 they use backticks. They should have illustrated how to use a safe system() call like:
print system("/bin/whois", $parm);
For that matter, I don't like that they rolled their own way of getting the form parameters. That wheel has been invented.
I don't like this (style, I know :)..
if ($radiobutton =~ m/^(file1|file2|file3)$/)
This isn't a very good regex. Could be better as:
/^file(1|2|3)$/
They say later on..:
Is the CGI script starting subshells? If so, why? Is there a way to accomplish the same thing without starting a subshell?
But in that listing 3, they do start a subshell.
They don't cover safe system calls, preventing users from viewing any file on the system (the common you.com/foo.cgi?file=../../../etc/passwd hole), the Taint.pm and Untaint.pm modules, that -T takes . out of @INC, tainted variables in XS (which is a little different than pure Perl), etc...
I don't believe they mentioned perlsec once.
Do not write a SUID CGI script in a shell scripting language (csh, ksh, etc.). There are too many possible security problems.
Like..?? A pointer to information on why they make this statement would have been good.
I didn't really like the article. They left too much out without even a mention, IMO.
Cheers,
KM
In reply to Re: Safer CGI at SysAdmin
by KM
in thread Safer CGI at SysAdmin
by ybiC
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |