Writing good and secure CGI Perl Code

[MJAZ]

Hello. I am very inexperienced with secure, business level CGI Perl scripts. I am wondering whether anybody has tips for on writing good, secure code. My current project is a form validation script. Another thing I am wondering about is how to avoid those hugely long URLS like &foo=bar&etc that display the form information for all to see. Is it possible to encode the information before it shows up? Any tips would be appreaciated.

 

[mbrooks]

Another thing I am wondering about is how to avoid those hugely long URLS like &foo=bar&etc that display the form information for all to see.

This can be avoided by using POST within your form.

As for writing secure code. Rule #1. Always assume the user is going to do something malicious.

M. Brooks

http://mbrooks.info

 

[spookie]

1) If you don't want anyone to see the information being sent via form in address bar, use form POST method against GET.
GET method also has some limitations on size of data that can be sent via form.
2) Validate the content - Never trust user for the data he/she enters in form elemets
3) In your CGI script , make use of strict and warnings pragmas.

These are some basic things.
Look out for more info by PERL heavyweights in the forum.


--------------------------------------------------------------------------
I never set a goal because u never know whats going to happen tommorow.

 

[1DMF]

Make sure you use the perl module CGI for parsing form data, it will also help elimante malicious attacks against SQL querries.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[stevexff]

Perl also has taint checking. I've not used it, but as far as I understand it means that any variable that gets set by something outside your program has to be 'untainted' by passing it through a regex. For example, to ensure that only numeric data has been supplied

if ($tainted =~ /^(\d+)$/) {
   $tainted = $1; # $tainted now clean
}
else {$tainted = ""}

If $tainted is used to set any other variables in your program before you clean it, they are marked as dirty by association. To activate taint mode, use perl -T.

You've probably spotted that a regex of /(.*)/ will untaint anything. Perl provides the mechanism, the contents of the regex are down to you...

Steve

[small]"Every program can be reduced by one instruction, and every program has at least one bug. Therefore, any program can be reduced to one instruction which doesn't work." (Object:erlDesignPatterns)[/small]

 

[Kirsle]

See also faq452-6421 in the CGI forum.

-------------
Kirsle.net | Kirsle's Programs and Projects

 

[ishnid]

Have a read through Ovid's CGI Course. There are a lot of really good tips on writing good, secure Perl code for CGI in there.

 

[KevinADC]

The form information is viewable in the source code and anyone can save the form and edit the POST to GET and see the info in the URI. Your script might reject the data if it arrives as GET but the user will still see whatever it is you think you don't want them to.

Long URL's are ugly and can cause some problems but they should not be considered a security risk.

- Kevin, perl coder unexceptional!

 

[MJAZ]

Thanks guys! Are there any conventions that I should be aware of?