Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister

Re: Re: Re: Re: Vetting a CGI script

by jdtoronto (Prior)
on Nov 13, 2003 at 15:51 UTC ( #306818=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Re: Vetting a CGI script
in thread Vetting a CGI script

Hi hmerrill,

Well, you are asking me to stretch back into history. The raid took place in late 1997 and the cgi would have been written between late 1996 and mid-1997. It is in fact quite possible that (Which was a popular predecessor to, written by Steve Brenner of Stanford and last updated in 1999).

The documentation says: "temporary files are created in /usr/tmp or /tmp and should be deleted automatically." Assuming this is the case there would be little to worry about. Using the PRIVATE_TEMPFILES is a nice trick, at least on *nix systems where the trick works.

As I recall had some user specifiable variables in the first few lines of code. One that I was always chagning was the maximum file size, but there was also one to specify where the file was written. I think this was the vulnerability. The cgi-lib variable wrote files into a directory that was executable under cgi-bin.

The moral of the story is that you need to think before you do ANYTHING! Currently I use through CGI::Application under mod_perl. But there are alternatives, most notable CGI::Upload which I have never used. As to the right way? Thou dost speak heresay! Any way is good, there is no right way, but many wrong ways. Make sure you know where temp files go. Make sure that you somehow 'untaint' anything you get from a user - even files.


Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Vetting a CGI script
by hmerrill (Friar) on Nov 14, 2003 at 14:47 UTC
    Thanks - excellent explanation!

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://306818]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (2)
As of 2021-08-04 22:06 GMT
Find Nodes?
    Voting Booth?
    My primary motivation for participating at PerlMonks is: (Choices in context)

    Results (43 votes). Check out past polls.