|No such thing as a small change|
Some advice on another's scriptsby Mr. Muskrat (Abbot)
|on Jun 25, 2002 at 17:17 UTC||Need Help??|
My fellow monks:
I spoke with some of you this morning in the CB concerning the following matter. I was looking through a linux website and came across an article on a perl script. So I followed the link and looked at the code. What I found was
I then looked at a CGI script at the same site written by the same person and it was even worse. There was no taint checking even though it is receiving input, no -w, no 'use strict', global variables, and he sent fatals to the browser. He uses CGI.pm but hand rolls most of his HTML. (Which is okay but if your gonna use it, use it to it's fullest!) I contacted the man via email telling him how he should change things for the better (trying to stress the security related items). I sent him a link to PerlMonks as well as Ovid's wonderful CGI Course. He replied saying that, yes he should follow most of my suggestions but it would have to wait for the next version when he migrates it to mod_perl.
I am not an expert perl programmer. I am not a security professional. I haven't even had the time to fully go through all of the code yet. I felt that I should make the author aware of the mistakes and that I should show him a cleaner way of producing HTML in CGI scripts.
Did I do the right thing? I think so.
Did I take it too far by telling him to use CGI.pm to it's fullest? Maybe... it is primarily a personal preference.