Getting help with CGI's

Ignorance has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: Getting help with CGI's by footpad (Abbot) on Apr 09, 2001 at 23:30 UTC
I think astanley's on the right track, but I might take a combined approach. Before installing a free package, read the source and see if the basics are covered: Does it use -wT? use strict? untaint input lightly (e.g. no .* isssues.) If so, then ask your friend to do a quick once over. That shouldn't take too long and might result in some interesting discussion. Assuming that you friend is okay with it, then install it. Finally, review some of these columns and see what you pick up. You may be surprised at how quickly you grasp the basics. Also, be sure you read the following very carefully: perlsec and the WWW Security FAQ. CGI Programming with Perl offers a good discussion on the subject, one nicely complemented by Writing CGI Applications with Perl. --f	[reply]
Re: Getting help with CGI's by Fastolfe (Vicar) on Apr 09, 2001 at 23:20 UTC
If your goal is to be competant with Perl, I highly recommend you have a go at it yourself, and then refer it to your friend for a review. If you're concerned about security (which you should be), read perlsec and run your script with taint-checking enabled (`-T`). Every time you have a tainting violation, make a point to thoroughally understand why this is a violation and fix it. By the time you're done, you'll be a bit better off, and you'll have a few ideas of things you would have done differently. Spend a month working on a different project, come back and re-write it if you want. If you're going to risk security holes, I'd rather have a slightly insecure but proprietary application than a slightly insecure publicly available application. Of course, as you learn more, you'll figure out ways to watch for and correct potential security issues. But whatever you do, don't just leave your first-time scripts like this alone after you're done with them. If you're a relative Perl novice, do try and re-visit your old code once in a while and make improvements or re-writes. On the other hand, if your goal is to be up and running as quickly as you can, you're going to either have to trust what you install (either what's publicly available or what your friend writes), or know enough (or someone that knows enough) to do a thorough security audit of the application.	[reply] [d/l]
Re: Getting help with CGI's by astanley (Beadle) on Apr 09, 2001 at 23:11 UTC
I think worrying about a "free" solution being prone to security holes is a valid concern, however, a complex script like that thrown together in 30 minutes will almost definitely be prone to a multitude of security problems due to its untested and quickly-hacked nature. One that you write yourself your first time would be the best solution experience and security-wise as long as you gave yourself ample time to test, retest, have bug-checked, and develop a sound and secure application. The short summary of my long response is - if you want something now and something secure go with a free one, if you can stand to wait a month or two and want something secure - go with your own, if you want something now and want a higher-risk for error bug, cajole, and beg. just my $.02! -Adam Stanley Nethosters, Inc.	[reply]
Re: Re: Getting help with CGI's by suaveant (Parson) on Apr 09, 2001 at 23:17 UTC
Typed faster than me... I really need to learn how to touchtype :) Very similar to what I said, I agree :) - Ant	[reply]
Re: Getting help with CGI's by suaveant (Parson) on Apr 09, 2001 at 23:15 UTC
Hey, if you can't ever trust other people's stuff, you are going to spend a lot of time reinventing the wheel. Other people's software, while it may have malicious code in it, probably doesn't, and if it has been used by enough people, there is a better chance malicious code would have been found already. Sometimes you have to take a chance. The bonus is, the more people who use a public software, the more bugs and security holes get found and filled/squished. If your friend takes 30 minutes to write you some code, what are the chances it doesn't have holes/security bugs, and is he going to devote his time to fixing it like someone who puts their name on it and publishes it to a few thousand people? You could always do what I do, use someone else's and swear you'll write your own when you get around to it... gives you a warm fuzzy and releases you from the need :) Of course, being new, writing your own is a learning experience, then again, learning experiences take time, dunno if you are in a hurry. Do what you want, of course, but these are things to consider as well. Hope it helps. - Ant	[reply]
Re: Getting help with CGI's by kha0z (Scribe) on Apr 10, 2001 at 00:32 UTC
As stated earlier taint mode is about the easiest way to help you pin point bad data. Regex is the best way to untaint it; just remember that your expression should state what you want to allow not what you want to exclude. Always use strict. Security is also large part of the system administrator. So for one apache should execute your cgi script as nobody. This will minimize the amount of damage that the security holes may cause. Additionally, its always a good idea to restrict the access to your scripts to be only executed by an allowed http referer. I suggest always to try yourself first.... its always a good learning experience and then look at competitors products they may shed some light into how to improve and lock down security in your script. Being concerned about security is always good. Remember that no script is perfect (especially when they are complex) the idea behind security is to minimize known risks and then to fix other risks as you find them. Its always a learning process. Good Luck. kha0z -- www.kha0z.net	[reply]