[7027] in bugtraq
Re: textcounter.pl (alternate fix)
daemon@ATHENA.MIT.EDU (Jarkko Hietaniemi)
Thu Jun 25 14:19:30 1998
Date: Thu, 25 Jun 1998 19:48:24 +0300
Reply-To: jhi@iki.fi
From: Jarkko Hietaniemi <jhi@IKI.FI>
X-To: Andrew McNaughton <andrew@SQUIZ.CO.NZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <v02120d07b1b65ef8b863@[192.168.1.2]>
If you aim at safe Perl CGIs I suggest the following:
(1) upgrade to Perl 5: Perl 4 has known security holes
(2) use -T (taint) option of Perl: suspect data sources abort the script
(3) use -w and "use strict;" to catch other bugs
(4) Perl 5 has oodles of ready CGI modules, some of which you can use
as-is and some as building blocks: leverage from existing codebase
(5) with perl5 comes doc page called perlsec that tells, ta-dah,
about writing secure Perl
(6) you can be really paranoid with Perl 5 module called Safe in which
you can limit the operations the Perl script can do: e.g. it cannot
do any file I/O or you can trap operations (for example to check
for their arguments' sanity): the Perl script is run in a "safe
compartment", sort of chroot() for "Perl op hierarchy".
http://www.perl.com/CPAN/src/latest.tar.gz
always contains the latest stable Perl maintenance release as source code
--
$jhi++; # http://www.iki.fi/~jhi/
# There is this special biologist word we use for 'stable'.
# It is 'dead'. -- Jack Cohen
