I don't like that in Listing 3 they use backticks. They should have illustrated how to use a safe system() call like:

print system("/bin/whois", $parm);

For that matter, I don't like that they rolled their own way of getting the form parameters. That wheel has been invented.

I don't like this (style, I know :)..

if ($radiobutton =~ m/^(file1|file2|file3)$/)

This isn't a very good regex. Could be better as:

/^file(1|2|3)$/
[download]

They say later on..:

Is the CGI script starting subshells? If so, why? Is there a way to accomplish the same thing without starting a subshell?

But in that listing 3, they do start a subshell.

They don't cover safe system calls, preventing users from viewing any file on the system (the common you.com/foo.cgi?file=../../../etc/passwd hole), the Taint.pm and Untaint.pm modules, that -T takes . out of @INC, tainted variables in XS (which is a little different than pure Perl), etc...

I don't believe they mentioned perlsec once.

Do not write a SUID CGI script in a shell scripting language (csh, ksh, etc.). There are too many possible security problems.

Like..?? A pointer to information on why they make this statement would have been good.

I didn't really like the article. They left too much out without even a mention, IMO.

Cheers,
KM

shameless plug coming up:

Did you check the links in Outside Links in the section CGI & Security?

neophyte Niederrhein.pm

Good answer, neophyte!   8^)   That wing o' the Monastery sure has been expanded since I last looked.

I'm fairly comfortable with the basics of Perl CGI security, and had already encountered and read most of those links.   Was hoping a monk who truly groks such things would consider critiquing the article.   I thought it was good, but recognise that others might see innacuracies or oversights I'm unaware of.
    cheers,
    Don
    striving for Perl Adept
    (it's pronounced "why-bick")

This is not really a complaint, just a point. Mod_perl when setup right is almost as fast as a C CGI script. Your final section recommended using perl if perl could so the job fast enough, because of the extra security features, or use C otherwise. I disagree - not because I think you are wrong, I jsut feel that your comments are a few years out of date. I suggest that mod_perl should be used if a simple CGI script cannot work fast. I don't suggest this because I am anti-c or pro-perl but because C is much harder to make secure than perl.

When I was a pure C coder (a few years back now) there was some call for using C as a CGI language. In fact, my first forays into web design were written in C. These days I would never consider using C, the thought of reinventing the security wheel every time you write a script, and for no apparent gain doen't appeal to me.

The one thing I really want to point out is this is not an attack on your article.... I wish I had had something like that to read while I was working as a webmaster ;)

Wow, Caillte, I wish I were smart enough to have written that article! {grin} I just read it, learned a few things, and hoped to find out what other monks thought about it.

"C is much harder to secure than Perl..."
See, there I learned yet another tidbit about (gasp) C.   BTW, your comments don't sound complaining or attacking to me.
    cheers,
    Don
    striving for Perl Adept
    (it's pronounced "why-bick")