Perl CGI Security Issues

[rdyoll]

Hi, I'd like to know what security precautions one should always implement in any cgi script. I know you must never trust the browser or the user, but what necessary steps do you need to take to safegaurd your server from malicious attempts. I'm interested in all viewpoints...whether simple scripts that never open a file on the server to full-blown shell scripts. I've read many books on the importance of this issue, and write accordingly...I hope. But, I would like to hear what others feel are the best parameters to follow when scripting. Meaning...what characters to allow, and/or string replacement and any other variables that one should take into consideration.
Thank you...

 

[siberian]

1) Never trust the user input data. This means never allowing the user to address a file on the disk.

2) Always encode/decode the cgi arguments using standard libaries like CGI.pm. If you roll your own you will miss stuff.

3) If accessing a database always 'quote' your inputs. Never trust the user to give proper input data. I've used this hole to download peoples entire databases.

4) Do not execute system level calls from your perl.

Thats it really, as long as your OS is configured properly and you keep your webserver patched properly you will be fine. The webserver handles most of the buffer overflow crap that you see and if you follow these rules the worst that can happen is someone crashes that apache child, it gets reaped by the root apache and life goes on!

 

[rdyoll]

Thanx, siberian...
I guess I was more paranoid than necessary. I've been using CGI.pm exclusively and the other parameters you quoted. Just needed to be sure.

Thanx again

 

[siberian]

Paranoia is a valuable asset, don't lose it

 

[goBoating]

http://www.w3.org/Security/Faq/

'hope this helps

If you are new to Tek-Tips, please use descriptive titles, check the FAQs, and beware the evil typo.