Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Vetting a CGI script

by hmerrill (Friar)
on Nov 12, 2003 at 17:12 UTC ( #306561=note: print w/replies, xml ) Need Help??


in reply to Vetting a CGI script

I've been using Perl for the last 6+ years, and I don't even remember cgi-lib.pl :)

I don't see a problem printing possibly tainted data to a file, but it really depends on what that file will be used for. I suppose you could say that untainting that data would be the responsibility of the program that *reads* that file. But my inclination would be to untaint the data before writing it to the file. I don't have much experience with -T taint mode, but I believe that if you intend to add the -T flag, that you'll have to untaint all external data (like form data) coming in first before using it anyway - so it's kind of a mute point.

As far as piping tainted data to sendmail, I thought I had read something somewhere about the flags to sendmail having something to do with security precautions, but I can't seem to find that. Read the perldocs on "How do I send mail?" by doing

perldoc -q mail
at a command prompt and search (using the forward slash "/") for "sendmail" - you'll find it. There are some slight sendmail flag differences between your code and what they suggest - I'm not sure if those differences are significant.

HTH.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://306561]
help
Chatterbox?
[ambrus]: choroba: that doesn't matter, the cookies are independent on the webserver, they just have to contain your username and crypted password with a seed of the user's choice, you can change the hostname or even construct a cookie without asking the server
[ambrus]: choroba: and for perlmonks (but not for everything2), you don't even need a cookie, you can just send a username and password parameter in every request, and this is even documented in What XML generators are currently available on PerlMonks?
[holli]: i admire you choroba, if i had to work at such a place, i wouldn't last long. as bosses don't like if someone calls them clueless idiots
[ambrus]: (The cookie format is not documented anywhere afaik, but it's trivial to reverse engineer even without being a pmdev.)
[holli]: or "ignorant bricks" (that is not a typo)

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (12)
As of 2017-10-24 11:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My fridge is mostly full of:

















    Results (289 votes). Check out past polls.

    Notices?