Request for Comments

Yup, almost ready to put up the third lesson in my online CGI course. It's rough and incomplete, but I thought I should solicit comments from fellow Monks prior to linking it to the main course. It covers many CGI security basics, but I'd appreciate an overview from monks of all levels.

If you're a security guru, do you see any problems? If you're a CGI newbie, is it clear? For all: any additions that I should make?

It is currently lacking an overview of the Untaint module, but I hope to add that this weekend (cross my fingers).

Also, I have extensively revised lesson two. The answer to the exercise has been significantly expanded.

Any and all feedback would be greatly appreciated!

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

Comment on Request for Comments - CGI Course

Replies are listed 'Best First'.
RE (tilly) 1: Request for Comments - CGI Course by tilly (Archbishop) on Nov 11, 2000 at 02:44 UTC
Your digest suggestion for validating hidden fields is good, but I can see someone misreading that and thinking that they need to create a really random digest each time and send it. Instead make it clear that what you mean is that the digest is kept at the webserver, and never sent. Of course leaving it static is also a bad idea, you should change it regularly. But what is important is that the CGI script can verify the hidden data, not that the user can. Another thing that I am noticing. You may want to make some digressions into links, or produce an index at the top. Reading through your document is very different from referring back to it, and as it grows it could be hard for someone to track down interesting things you said.	[reply]
RE: Request for Comments - CGI Course by extremely (Priest) on Nov 11, 2000 at 04:16 UTC
You should color good and bad examples differently and a more complete set of untainting examples might be a good idea. -- $you = new YOU; honk() if $you->love(perl)	[reply]
Re^2: Request for Comments - CGI Course by Kalaiselvan (Initiate) on Nov 05, 2008 at 12:18 UTC
How to call a .pl file in cgi. Is it possible or not? Note: I don't need to download the .pl.	[reply]
Small nit, RE: RFC - CGI Course by clintp (Curate) on Nov 12, 2000 at 22:50 UTC
A variable can only be untainted by extracting Variables aren't tainted. Scalar values are tainted. Thus, portions of a hash can be tainted while other parts aren't. (Or an array.) Once a variable is tainted, Perl won't allow you to use it in a system(), exec(), Second nit, I haven't tested this but according to Perlsec, you can use the LIST form of system and exec and taint-checking is bypassed.	[reply]
RE: Request for Comments - CGI Course by cephas (Pilgrim) on Nov 14, 2000 at 05:18 UTC
Overall it is a good tutorial. But I think you might like to add some text covering the list forms of system() and exec(). Along those same lines, you should give some amount of coverage to sysopen() vs open(). Another thing you may want to include is some discussion of cookies and the fact that like the hidden fields, unless you do some form of encrypting or digesting of information, the user is free to edit those at will with the possibility of mucking up your system. cephas	[reply]
sysopen (RE: Request for Comments - CGI Course) by tye (Sage) on Nov 14, 2000 at 06:15 UTC
Good comments. On the sysopen() issue, I'd like to note that you can also just use something like: `open( FILE, "< $filename\0" )` [download] The leading mode (`"<"` in this case but can be many other modes like `">>"` or `"+<"`), the separating space (between the mode and the file name), and the trailing null ("\0"), when all present together, prevent interpretation of the file name. So pipes ("\|") or greater thans (`">"`) in the $filename string won't cause Perl to spawn a subprocess or write to a file that you wanted to read from. This works even in Perl4. Checking the documentation for this I find that modern versions of Perl also support: `open( FILE, "<", $filename )` [download] I find no reference to the old method that I described above. I suspect that this is because it has been removed from the documentation not because it has been removed from Perl (because the latter would be sad, replacing a solution that ports to old versions of Perl with one that doesn't). I'll have to do some checking and report back. Using these can be more convenient than using sysopen() while still closing the same security holes. - tye (but my friends call me "Tye")	[reply] [d/l] [select]