Home page logo

bugtraq logo Bugtraq mailing list archives

Re: textcounter.pl (alternate fix)
From: jhi () iki fi (Jarkko Hietaniemi)
Date: Thu, 25 Jun 1998 19:48:24 +0300

If you aim at safe Perl CGIs I suggest the following:

(1) upgrade to Perl 5: Perl 4 has known security holes
(2) use -T (taint) option of Perl: suspect data sources abort the script
(3) use -w and "use strict;" to catch other bugs
(4) Perl 5 has oodles of ready CGI modules, some of which you can use
    as-is and some as building blocks: leverage from existing codebase
(5) with perl5 comes doc page called perlsec that tells, ta-dah,
    about writing secure Perl
(6) you can be really paranoid with Perl 5 module called Safe in which
    you can limit the operations the Perl script can do: e.g. it cannot
    do any file I/O or you can trap operations (for example to check
    for their arguments' sanity): the Perl script is run in a "safe
    compartment", sort of chroot() for "Perl op hierarchy".


always contains the latest stable Perl maintenance release as source code

$jhi++; # http://www.iki.fi/~jhi/
        # There is this special biologist word we use for 'stable'.
        # It is 'dead'. -- Jack Cohen

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]