Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Perl code security (CGI related)
Date: Tue Apr 06 2004 - 15:19:30 CDT
On Tue, 06 Apr 2004 15:47:28 BST, shattocsimple-sam.com said:
> I would suggest that you make a rule: any time there is the possibility that
> a user will be putting data into your application, you should enable Perl's
> taint mode. Do a google search for 'perl taint' (no quotes) for a plethora of
> information on this excellent security tool.
One *important* precautionary note regarding Perl tainting:
It *does* prohibit unintended use of a user-supplied variable without some sort
of examination/validation/filtering beforehand.
It *does* *not* have any way of validating that *proper* filtering was done
(so, for instance, "change all spaces to spaces" would suffice to untaint the
data, while doing nothing for security).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
-----END PGP SIGNATURE-----