Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

Re: Security with open() in CGI scripts

by rob_au (Abbot)
on Feb 26, 2002 at 03:24 UTC ( #147463=note: print w/replies, xml ) Need Help??

in reply to Security with open() in CGI scripts

A quick cursory look of your code doesn't reveal much ... It doesn't look as if you are running under strict as there doesn't appear to be any definition of scope of some of your variables. Nevertheless, the snippet you have given doesn't show enough for any judgement to be made of its 'fitness' for any given task - There is no indication of where you are deriving some of your values from, in particular, $tempUID and $call, without which any assessment of security tightness of your code would be flawed.

A general pragma to remember with regard to CGI security is to never trust anything which comes from the browser - Irrelevant of whether it be query arguments, cookie data or user submitted information, don't trust it! This is vitally important where any of the submitted information may be used to manipulate the filesystem or process tree directly - In such instances, you should be excluding everything and then selectively permitting that which is vetted and permissable. This can lead to a great deal of code overhead but given the consequences of a failure in security, this is a little price to pay in development time.

With regard to open and security inherit to the command itself, this comes down very much to the arguments which are passed to it - There has previously been the discussion on the 2-argument invocation of open with specific reference to passed arguments. But at the end of the day, the security concerns will center on how the data is parsed and vetted prior to being passed to open - Has the data been checked for shell escape characters? Does the target file to be opened exist? Is the target file a directory or symbolic link? Are the permission and ownership rights of the target file as expected and allowed? The list goes on ...

In short, limit the allowable parameters, code defensively and don't trust anything sent from the browser.


perl -e 's&&[@.]/&&s&.com.&_&&&print'

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://147463]
[haukex]: Corion: Yes exactly, in the author tests I don't worry about portability as much, I also don't list the author tests' dependencies in Makefile.PL
[haukex]: I figure someone who wants to contribute will know how to install the missing modules ;-) Not the nicest way to go but I don't think many people are using my modules yet
[ambrus]: Corion: some of these stupid syntax highlighters assume that too. just look at the table in http://perldoc. functions/pack. html for example.
[haukex]: ..."yet" ;-) I haven't had to deal with Dist::Zilla yet but I've heard about how it's a big setup
[ambrus]: I really don't like automagic stuff. I'm happy when computers do exactly what I tell them, even if that means they sometimes do the wrong thing.
[ambrus]: And I don't much like syntax highlighters. If you need a syntax highlighter to understand your code, then your code is written unclear.

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (14)
As of 2017-02-27 12:41 GMT
Find Nodes?
    Voting Booth?
    Before electricity was invented, what was the Electric Eel called?

    Results (385 votes). Check out past polls.