|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Perl code security (CGI related)
Valdis.Kletnieks
vt.edu
Date: Tue Apr 06 2004 - 15:19:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 06 Apr 2004 15:47:28 BST, shattocsimple-sam.com said:
> I would suggest that you make a rule: any time there is the possibility that
> a user will be putting data into your application, you should enable Perl's
> taint mode. Do a google search for 'perl taint' (no quotes) for a plethora of
> information on this excellent security tool.
One *important* precautionary note regarding Perl tainting:
It *does* prohibit unintended use of a user-supplied variable without some sort
of examination/validation/filtering beforehand.
It *does* *not* have any way of validating that *proper* filtering was done
(so, for instance, "change all spaces to spaces" would suffice to untaint the
data, while doing nothing for security).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAcxDScC3lWbTT17ARAiuQAKCbjmHbwqXr0z5DT9VXPFrU3cyQrwCgur2U
6Dfajr+R+8xpwEhMWR+XiyE=
=+iBz
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]