[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CGI Perl Security



not that I know of, but I would suggest turning on tainted mode and
passing all external variables through a regex.

my $documentRoot = $ENV{"DOCUMENT_ROOT"};
if (defined($documentRoot)) {
	# untaint documentRoot
	$documentRoot =~ m#^([\w_./+:-]+)$#;
	$documentRoot = $1;
}

or something similar.


On Tue, Jul 24, 2001 at 09:41:39AM -0500, Leonard Leblanc wrote:
> Hello Everyone,
> 
> I'm not quite sure if this is the right place to be posting this, but I am 
> using Debian and it is a security related question.
> 
> We are currently developing a new website with perl that consists of using 
> the HTML::Template module.  In the beginning of this script there are 
> multiple constants defined which point to the template files using the 
> $ENV{DOCUMENT_ROOT} environment variable.  
> 
> Does this present any more/less of a security risk then just hardcoding the 
> entire path into the script?
> 
> Thanks in advance.
> 
> -- 
> Leonard Leblanc
> Vice President - Technology
> www.emergeknowledge.com
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Jason Thomas                           Phone:  +61 2 6257 7111
System Administrator  -  UID 0         Fax:    +61 2 6257 7311
tSA Consulting Group Pty. Ltd.         Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602         http://www.topic.com.au/

Attachment: pgpG9eDDjW_8i.pgp
Description: PGP signature


Reply to: