Re: CGI security on a shared web server (fwd)

From: Ilya Martynov (ilya@martynov.org)
Date: 05/28/02 

To: "Lee E. Brotzman" <leb@gmss.com>
From: Ilya Martynov <ilya@martynov.org>
Date: 28 May 2002 11:41:14 +0400

>>>>> On Sat, 25 May 2002 11:20:32 -0400, "Lee E. Brotzman" <leb@gmss.com> said:

LEB> [..snip..]

LEB> I write almost all my CGI in Perl and indeed the setuid Perl
LEB> scripts are run by suidperl. This gives me the "taint" feature
LEB> whereby I must untaint any user input -- a good feature, but
LEB> certainly no cure-all. You can always untaint anything by just
LEB> matching it to the regexp "/^.*$/". For a client, I developed an
LEB> Untaint library that has regexps for checking phone numbers, file
LEB> names (only allowing alphanumerics and decimals), file paths
LEB> (checking that all directories in the path exist and are
LEB> readable), 7-bit clean, and other special cases -- even the
LEB> "match anything" test (I call that method Untaint::StillNotSafe).

LEB> Note that if you use suEXEC to invoke a setuid Perl script, you
LEB> will lose the tainted-data feature. Another reason I don't like
LEB> suEXEC. I'd prefer the script bombs if I try to use untested
LEB> external data.

You don't have to use suidperl to get taint checks. Just add -T in
shebang line. See 'perldoc perlrun' and 'perldoc perlsec'. 

-- 
Ilya Martynov (http://martynov.org/)