My admin claims that Buqtraq says there are vunerabilities in CGI.pm's handling of file uploads.

To test this theory, I searched buqtraq for such advisories. I found reports of problems with IE, PHP, and an older version of CGI-Lite.pm. Nothing for CGI.pm, which is what I would expect given the module's author and his other works.

Is there a problem or a risk, if you use taint mode and don't allow the user to choose where the uploaded file gets saved?

Update: Thanks for the replies. I need ammunition. I believe CGI.pm is trustworthy, but my admin is convinced that it's got problems, even though he can't provide details about the advisories he seen that argue against it. I think he's talking about the CGI-Lite report, personally, but...

How can I lead this horse to logic *and* make him think. And, yes, I know the old cliche. Put more nicely, please help me combat the FUD.

Also, Chris, I know enough about CGI programming to do something like this: 

#! /usr/bin/perl -wT
use strict;
$|++;

use CGI;
my $query = CGI->new();
# ...and so on...

[download]

Unfortunately, my admin has an issue of misinformation and I don't know how to counter those args. Looking for reassurance from a community he appears to respect.

In reply to CGI.pm FUD by batmonk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.