Appendix A Perl CGI Programming FAQ

 

---

A.5 Security

Is a Perl CGI program more or less secure than a shell or C one?

The answer to this is: A CGI program is prone to security problems no matter what language it is written in!

What particular security concerns should I be aware of?

Never expose any form of data to the shell. All of the following are possible security holes:

open (COMMAND, "/usr/ucb/finger $form_user");
system ("/usr/ucb/finger $form_user");
@data = `usr/ucb/finger $form_user`;

See more examples in the following answers. You should also look at:

WWW Security FAQ (by Lincoln Stein) (https://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html)

CGI Security FAQ (by Paul Phillips) (https://www.cerf.net/~paulp/cgisecurity/safe-cgi.txt)

How can I call a program with backtics securely? Is it true that:

@ans = `grep '$user_field' some.file`;  

is insecure?

Yes! It's very dangerous! Imagine if $user_field contains:

; rm -fr / ;  

An equivalent to the above command is:

if (open (GREP, "-|")) {
    @ans = <GREP>
} else {
    exec ("/usr/local/bin/grep", $user_field, "some.file")
        || die "Error exec'ing command", "\n";
}
close (GREP);

Is it true that /$user_variable/ is a security hole in Perl 5?

No! It's not. It's a security hole if you evaluate the expression at runtime using the eval command. Something like this is dangerous:

foreach $regexp (@all_regexps) {
    eval "foreach (\@data) { push (\@matches, \$_) if m|$regexp|o; }";
} 
 

---

Specific Programming Questions