bman has asked for the wisdom of the Perl Monks concerning the following question:

After reading much about CGI security and so on, I decided to look at my scripts and of course, there is much work to be done. My question is this:
Do I have to untaint every single variable passed from the form to my script or the one that only requires user's input? So, If I have a drop down box, for example, do I also have to untaint it?
Thanks.

Replies are listed 'Best First'.
Re: Question about untainting data
by Fastolfe (Vicar) on Nov 04, 2000 at 01:47 UTC
    You only have to untaint data you attempt to use in a critical operation. If you're using tainted data in, say, your open calls, unlink, system, etc., you need to un-taint your data first. If you're just printing data or using it for decision-making, you don't have to untaint it.

    This doesn't apply to just form data. Any data that is retrieved from outside of your script is potentially bad and potentially made harmful. Perl marks it as tainted, and will prevent you from trying to use it in any critical operations, since the effects could be adverse.

[reply]
      I think that filtering your output depends more on your application. If you're writing code to collect some data from users then it's not a big deal. But if you're writing a guestbook you may want to filter input for stuff like malacious javascript.

      It's a shame we have to do this too.

      Slightly off topic, but still important to the security question.
[reply]
Re: Question about untainting data
by chromatic (Archbishop) on Nov 04, 2000 at 02:07 UTC
    Perl doesn't differentiate between input from a textarea or from a drop down box -- and it would be trivial for someone in the know to pass arbitrary parameters to your script through LWP or even by saving your HTML and modifying it.

    Fastolfe's right that you can use tainted data in many operations with no trouble, but just be aware that presenting the choice in certain HTML widgets offers minimal protection against mischief makers.

[reply]
RE: Question about untainting data
by KM (Priest) on Nov 04, 2000 at 02:08 UTC
    If I have a drop down box, for example, do I also have to untaint it?

    The best way to answer this is to use -T.. if you need to untaint it, Perl will tell you so :)

    Cheers,
    KM

[reply]
Re: Question about untainting data
by neophyte (Curate) on Nov 04, 2000 at 15:39 UTC
    Usually I have user input for searching a database, so in almost all cases I can exclude non-word characters. But I have also some scripts the user can influence by his input, in a way that one subroutine is called based on the input in a select box. But I never call the subroutine directly from the users input, but use a construct like the following 
    <snip>
if ($user_input eq "do this") {
  &sub_a;
}
elseif ($user_input eq "do that") {
  &sub_b;
}
else {
  &error("","unexpected input","The input you supplied is not supporte
+d");
}
</snip>

    [download]
    Strictly speaking this is not untainting. If this is insecure in any way, please inform me.
    Thanks

    neophyte

[reply]
[d/l]
Re: Question about untainting data
by elwarren (Priest) on Nov 04, 2000 at 02:37 UTC
    A trouble maker could write his own form that submits to your cgi. His input could be something that you completely did not expect. So even though you forced your options on the regular user you have to keep things like this in mind.
[reply]

Back to Seekers of Perl Wisdom