CGI Programming on the World Wide Web By Shishir Gundavaram 1st Edition March 1996 This book is out of print, but it has been made available online through the O'Reilly Open Books Project.

Appendix A Perl CGI Programming FAQ

 

---

A.5 Security

Is a Perl CGI program more or less secure than a shell or C one?

The answer to this is: A CGI program is prone to security problems no matter what language it is written in!

What particular security concerns should I be aware of?

Never expose any form of data to the shell. All of the following are possible security holes:

open (COMMAND, "/usr/ucb/finger $form_user");
system ("/usr/ucb/finger $form_user");
@data = `usr/ucb/finger $form_user`;

See more examples in the following answers. You should also look at:

WWW Security FAQ (by Lincoln Stein) (http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html)

CGI Security FAQ (by Paul Phillips) (http://www.cerf.net/~paulp/cgisecurity/safe-cgi.txt)

How can I call a program with backtics securely? Is it true that:

@ans = `grep '$user_field' some.file`;  

is insecure?

Yes! It's very dangerous! Imagine if $user_field contains:

; rm -fr / ;  

An equivalent to the above command is:

if (open (GREP, "-|")) {
    @ans = <GREP>
} else {
    exec ("/usr/local/bin/grep", $user_field, "some.file")
        || die "Error exec'ing command", "\n";
}
close (GREP);

Is it true that /$user_variable/ is a security hole in Perl 5?

No! It's not. It's a security hole if you evaluate the expression at runtime using the eval command. Something like this is dangerous:

foreach $regexp (@all_regexps) {
    eval "foreach (\@data) { push (\@matches, \$_) if m|$regexp|o; }";
} 
 

---

Specific Programming Questions

Back to: CGI Programming on the World Wide Web