Opinions needed on CGI security

Gryphaan has asked for the wisdom of the Perl Monks concerning the following question:

Hello all,
I have an application that accepts a lot of user data and I want to be a safe and secure as possible. At no time does anything supplied by the user used in any system or exec commands.

Most of the incoming data is either used for program descisions or saved in a flat file database.

OK, now the question. Do you consider the following code to be secure and hacker proof?
If not, why not and how can I improve it.

@special = ("body",
            "subject",
            "link_url",
            "pid");

foreach $field (keys %form_data) {
    # specific fields that can have additional characters
    if($field eq "body" ||
       $field eq "subject" ||
       $field eq "link_url" ||
       $field eq "pid") {
        # were looking for specific hacker tricks here
        foreach (@special) {
            $form_data{$_} =~ s/system\(.+//g;
            $form_data{$_} =~ s/grep//g;
            $form_data{$_} =~ s/\srm\s//g;
            $form_data{$_} =~ s/\srf\s//g;
            $form_data{$_} =~ s/\.\.([\/\:]|$)//g;
            $form_data{$_} =~ s/< *((SCRIPT)|(APPLET)|(EMBED))[^>]+>//
+ig;
        }
    # all other fields get sifted here
    } elsif($form_data{$field} ne "") {
        unless ($form_data{$field} =~ /^([-\@\w.\s]+)$/) {
            # exit handler here
        }
    }
}
[download]

Thanks in advance
-- Brian

Comment on Opinions needed on CGI security Download Code

Replies are listed 'Best First'.
Re: Opinions needed on CGI security by merlyn (Sage) on Feb 14, 2001 at 06:37 UTC
Specify what is permitted, not what is discouraged. And to do that, you'll need to know what the domain of the data is, and what would be safe or dangerous there. This code above is unsafe from that perspective, because you've simply ruled out some common things that are dangerous in some contexts, but not others. So in general, I'd stamp this code as "good intention, bad implementation", mostly because it starts to give the illusion of security, when in fact it does no such thing. -- Randal L. Schwartz, Perl hacker	[reply]
Re: Opinions needed on CGI security by Trimbach (Curate) on Feb 14, 2001 at 08:14 UTC
I think Merlyn's suggestion is well-said: filter by what is allowed... but I, too, have wondered the same thing. Given that you have a CGI that (as Gryphaan said) performs no system calls of any kind, and that the only allowed communication outside the script is through a (presumbly already named) plain text file, what sort of vulnerabilities could this program possibly have? Sure, there are system-wide security measures to be taken: holes to patch through the OS, the web server, the file system, the router and so on, but that's beyond the scope of the question. I guess it all boils down to this: given this set of assumptions is there anything at all to worry about? Or is fear of the bogeyman hacker nothing more than hypochondria? Gary Blackburn Trained Killer	[reply]
Re (tilly) 2: Opinions needed on CGI security by tilly (Archbishop) on Feb 14, 2001 at 08:23 UTC
Consider the following data `<<script (not real script)>script (dirty nasty stuff)>` [download] Trust me, this is not a bogeyman. merlyn is saying that it is a mistake to think in terms of just trying to remove known dangerous constructs because it is. That way lies madness. Decide what you will allow, and explicitly escape everything that does not fit a known and specified safe pattern.	[reply] [d/l]
Re: Re (tilly) 2: Opinions needed on CGI security by Trimbach (Curate) on Feb 14, 2001 at 08:50 UTC
I understand completely about filtering by what you will accept and not trying to imagine what to reject... I said as much in my post. My question is, if you have a CGI that does: `$a = "some CGI data <<script blah blah evil stuff"; open (F, ">>file.txt"); print F $a;` [download] ... and that's the sum total of the CGI's interaction with the rest of the world, what could a hacker (or anyone) do that's evil? Now, if you will (say) be outputting a web page based on this data later on that's a different story... but that's not the question. My point is that I agree wholeheartedly that we should be as diligent as necessary to secure our programs and our data. But at some point (and this is a good example) "diligence" turns into unecessary paranoia. Gary Blackburn Trained Killer Update: Ok, so maybe the point from the original poster was to use the data to populate a web page. :-P Seems to me in that case that there's no reliable way of filtering out all possible evil HTML/Javascript (please, someone correct me if there is). But other than that, what else does the poster need to do?	[reply] [d/l]
Re: Re: Re (tilly) 2: Opinions needed on CGI security by AgentM (Curate) on Feb 14, 2001 at 09:56 UTC
Re (tilly) 4: Opinions needed on CGI security by tilly (Archbishop) on Feb 14, 2001 at 17:17 UTC
Reroh Rorge: Opinions needed on CGI security by baku (Scribe) on Feb 14, 2001 at 19:33 UTC
Re: Re: Re (tilly) 2: Opinions needed on CGI security by MeowChow (Vicar) on Feb 14, 2001 at 09:37 UTC
Re:(tilly) 2: Opinions needed on CGI security by Gryphaan (Beadle) on Feb 14, 2001 at 17:42 UTC
Re: Opinions needed on CGI security by arturo (Vicar) on Feb 14, 2001 at 19:03 UTC
My refrain (you didn't mention this!): turn on taint mode (add `-T` to your `#!perl` line, if it's 'traditional' CGI), and your script will die if you attempt to use untainted data in an unsafe manner. This will help enormously in figuring out what you need to do. Philosophy can be made out of anything. Or less -- Jerry A. Fodor	[reply] [d/l] [select]