Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Writing secure programs. Wow, that's a huge topic. Where to start? :-)

I suppose with some basic Perl references. The Camel Chapter 23 "Security" provides an excellent (and much more detailed than perlsec) overview of fundamental Perl security issues. This chapter is broken into: Handling Insecure Data, Cleaning Up Your Environment, Accessing Commands and Files Under Reduced Privileges, Handling Timing Glitches (Unix Kernel Security Bugs, Race Conditions, Temporary Files), Handling Insecure Code (Safe module, Code Masquerading as Data).

The Perl Cookbook has recipes: 8.17 (Testing a File for Trustworthiness), 19.4 (Writing a Safe CGI Program), 19.5 (Executing Commands Without Shell Escapes).

Can anyone comment on how safe is the Safe module? Sorry, I've not used it, though it is described in the Camel. Update: apparently it's not safe according to considered unsafe?.

The venerable suidperl has apparently had all known insecurities plugged by Paul Szabo in Perl 5.8.4. However, "For new projects the core perl team would strongly recommend that you use dedicated, single purpose security tools such as sudo in preference to suidperl" (perl584delta).

Which leads me to an important general piece of security advice (simplifying outrageously): Keep up-to-date with the latest version of perl. Well, that's a bit over the top; keep an eye on security alerts and perldelta security bug fixes and upgrade your perl judiciously. Apart from Paul's heroic suidperl fixes, security bugs are being squashed all the time. For example, perl 5.8 introduced Hash Randomisation and ensuring that sort never goes O(n-squared). Despite these two important denial-of-service (DoS) improvements, Perl regular expressions remain a concern for DoS attacks, it being easy to write (and hard to detect) a regular expression that finishes after the heat death of the universe.

In reply to Re: Security techniques every programmer should know by eyepopslikeamosquito
in thread Security techniques every programmer should know by Juerd

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    [Corion]: Unless you just want to vent your frustration about how others don't provide for your whims. That's sometimes necessary. There, there.
    [usemodperl]: so to answer my question, no http at cpan, and all rationalized too, thanks
    [marto]: this 'safe space' thing you have going on seems just like wanting to whine without anyone replying
    [Corion]: usemodperl: Naah, if you scroll back, you'll find several approaches that still work. Maybe a prewrapped solution like CPAN::Mini is what you want. Or maybe App::FatPacker. But you don't seem to want to listen. That's OK.
    [Corion]: There, there. It'll all be better.
    [marto]: usemodperl "so to answer my question, no http at cpan," doesn't tie up with what you said "I can find cpan mirrors on http"
    [usemodperl]: yea but http only has tar.gz, i wanna download modules with core perl, but http seems to make it impossible, that's my only question, how to find http mirrors like meta, or how to do it with core perl, but options now seem totally broken (on purpose :-(
    marto wanders off
    [usemodperl]: Corion it's really not misguided, it's the only way, to do something... wonderful IMHO
    [Corion]: usemodperl: Why don't you set up your own (http-only) CPAN mirror? Or just fatpack your scripts? I wonder what problem you're trying to solve here.

    How do I use this? | Other CB clients
    Other Users?
    Others avoiding work at the Monastery: (8)
    As of 2018-06-24 16:27 GMT
    Find Nodes?
      Voting Booth?
      Should cpanminus be part of the standard Perl release?

      Results (126 votes). Check out past polls.