mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: bet () RAHUL NET (Bennett Todd)
Date: Fri, 18 Feb 2000 17:27:45 -0500
2000-02-18-10:45:48 Brock Sides:
Perl's tainting mechanism will also come into play when opening a
filehandle for writing:
What's more, it's available to user code. perlsec(1) gives an
example routine that can check the taintedness of a variable, and
the Taint module makes it really painless.
DBI.pm offers a Taint option to taint-check data passed to it; this
offers some hope of addressing the rash of bugs in weirdo data with
SQL embedded in it being passed through CGIs and into a relational
database (ref RFP2K01, recently posted to this list).
I'm hoping it's possible that the new (development track perl)
feature for I/O disciplines may allow you to bolt a routine over the
front of an I/O handle that taint checks everything written to it;
that'd make a nice clean way of dealing with the whole
<LI>application/pgp-signature attachment: stored
Re: perl-cgi hole in UltimateBB by Infopop Corp. Kevin Hillabolt (Feb 15)
Re: perl-cgi hole in UltimateBB by Infopop Corp. Jordan Ritter (Feb 16)
Packet filter logging: MAC & TCP flags Jens Hektor (Feb 15)