I don't like that in Listing 3 they use backticks. They should have illustrated how to use a safe system() call like:

print system("/bin/whois", $parm);

For that matter, I don't like that they rolled their own way of getting the form parameters. That wheel has been invented.

I don't like this (style, I know :)..

if ($radiobutton =~ m/^(file1|file2|file3)$/)

This isn't a very good regex. Could be better as:

/^file(1|2|3)$/
[download]

They say later on..:

Is the CGI script starting subshells? If so, why? Is there a way to accomplish the same thing without starting a subshell?

But in that listing 3, they do start a subshell.

They don't cover safe system calls, preventing users from viewing any file on the system (the common you.com/foo.cgi?file=../../../etc/passwd hole), the Taint.pm and Untaint.pm modules, that -T takes . out of @INC, tainted variables in XS (which is a little different than pure Perl), etc...

I don't believe they mentioned perlsec once.

Do not write a SUID CGI script in a shell scripting language (csh, ksh, etc.). There are too many possible security problems.

Like..?? A pointer to information on why they make this statement would have been good.

I didn't really like the article. They left too much out without even a mention, IMO.

Cheers,
KM