Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: Re: Re: Re: Vetting a CGI script

by jdtoronto (Prior)
on Nov 13, 2003 at 15:51 UTC ( #306818=note: print w/replies, xml ) Need Help??


in reply to Re: Re: Re: Vetting a CGI script
in thread Vetting a CGI script

Hi hmerrill,

Well, you are asking me to stretch back into history. The raid took place in late 1997 and the cgi would have been written between late 1996 and mid-1997. It is in fact quite possible that cgi-lib.pl (Which was a popular predecessor to cgi.pm, written by Steve Brenner of Stanford and last updated in 1999).

The cgi.pm documentation says: "temporary files are created in /usr/tmp or /tmp and should be deleted automatically." Assuming this is the case there would be little to worry about. Using the PRIVATE_TEMPFILES is a nice trick, at least on *nix systems where the trick works.

As I recall cgi-lib.pl had some user specifiable variables in the first few lines of code. One that I was always chagning was the maximum file size, but there was also one to specify where the file was written. I think this was the vulnerability. The cgi-lib variable wrote files into a directory that was executable under cgi-bin.

The moral of the story is that you need to think before you do ANYTHING! Currently I use CGI.pm through CGI::Application under mod_perl. But there are alternatives, most notable CGI::Upload which I have never used. As to the right way? Thou dost speak heresay! Any way is good, there is no right way, but many wrong ways. Make sure you know where temp files go. Make sure that you somehow 'untaint' anything you get from a user - even files.

jdtoronto

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Vetting a CGI script
by hmerrill (Friar) on Nov 14, 2003 at 14:47 UTC
    Thanks - excellent explanation!

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://306818]
help
Chatterbox?
[Corion]: ... I'm not really knowledgeable about good guitar players
[stonecolddevin]: I've been on a Stevie Ray Vaughan kick lately: https://www. youtube.com/watch? v=wVjdMLAMbM0
[stonecolddevin]: Corion I haven't heard much of his work to be honest.
[erix]: here is a nice cover, stevieb
[planetscape]: hello, Corion
[Corion]: Hi planetscape!
[stevieb]: Corion I like the groundbreaking ones (guitar players). I have the ability to pick up on sounds that are groundbreaking or specific to a person, thanks to my years of doing recording/mixing/ sampling (hip-hop mind you, but years of it...
[stevieb]: ...has honed in my skills of recognizing sound
[stevieb]: All of the early members are coming out of the woodwork today :) Hey, planetscape
[Corion]: This cover version had so much promise but the singing is underwhelming :-/

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (9)
As of 2017-06-22 21:26 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How many monitors do you use while coding?















    Results (531 votes). Check out past polls.