not that I know of, but I would suggest turning on tainted mode and passing all external variables through a regex. my $documentRoot = $ENV{"DOCUMENT_ROOT"}; if (defined($documentRoot)) { # untaint documentRoot $documentRoot =~ m#^([\w_./+:-]+)$#; $documentRoot = $1; } or something similar. On Tue, Jul 24, 2001 at 09:41:39AM -0500, Leonard Leblanc wrote: > Hello Everyone, > > I'm not quite sure if this is the right place to be posting this, but I am > using Debian and it is a security related question. > > We are currently developing a new website with perl that consists of using > the HTML::Template module. In the beginning of this script there are > multiple constants defined which point to the template files using the > $ENV{DOCUMENT_ROOT} environment variable. > > Does this present any more/less of a security risk then just hardcoding the > entire path into the script? > > Thanks in advance. > > -- > Leonard Leblanc > Vice President - Technology > www.emergeknowledge.com > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax: +61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/
Attachment:
pgpbqPD_QviHU.pgp
Description: PGP signature