Re: How do I test for potential security problems?

Your friend here is the -T switch. You should put it at the beginning of your shebang line switches:

#!/usr/bin/perl -Tw

(the w is the warning switch, which you probably want enabled, as well as the <kbd>use strict;</kbd>)

It will taint the incoming parameters, reducing drastically the potential security issues. You may also want to read perlsec for more detailed advices on perl security.

<kbd>--
PerlMonger::Paris(http => 'paris.pm.org');</kbd>

Comment on Re: How do I test for potential security problems?

Replies are listed 'Best First'.
Re: Re: How do I test for potential security problems? by Gryphaan (Beadle) on Jan 16, 2001 at 17:15 UTC
OeufMayo, Thanks for the quick reply. I've added taint checking and I only had to modify one routine to untaint some data. But I'm still faced with the potential of rouge input. For example I've experienced this nice bit of input in a message board. `<marquee onstart=for(i=0;i<500;i++)prompt()>` [download] This dosent seem to affect Netscapt but IE gets hit and pops a window up 500 times. Since the program needs to accept HTML, is there a good way to eliminate stuff like this ? TIA, -- Brian	[reply] [d/l]
Re: How do I test for potential security problems? (and eventually remove HTML tags) by OeufMayo (Curate) on Jan 16, 2001 at 17:37 UTC
I don't have some code around to do this, but you might want to check HTML::Parser or HTML::TokeParser. The idea is to scan the user input for tags or attributes you don't want him/her to use (`<SCRIPT>, <MARQUEE>`, etc...), strip them and store the resulting HTML field. <kbd>-- PerlMonger::Paris(http => 'paris.pm.org');</kbd>	[reply] [d/l]