not that I know of, but I would suggest turning on tainted mode and
passing all external variables through a regex.
my $documentRoot = $ENV{"DOCUMENT_ROOT"};
if (defined($documentRoot)) {
# untaint documentRoot
$documentRoot =~ m#^([\w_./+:-]+)$#;
$documentRoot = $1;
}
or something similar.
On Tue, Jul 24, 2001 at 09:41:39AM -0500, Leonard Leblanc wrote:
> Hello Everyone,
>
> I'm not quite sure if this is the right place to be posting this, but I am
> using Debian and it is a security related question.
>
> We are currently developing a new website with perl that consists of using
> the HTML::Template module. In the beginning of this script there are
> multiple constants defined which point to the template files using the
> $ENV{DOCUMENT_ROOT} environment variable.
>
> Does this present any more/less of a security risk then just hardcoding the
> entire path into the script?
>
> Thanks in advance.
>
> --
> Leonard Leblanc
> Vice President - Technology
> www.emergeknowledge.com
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Jason Thomas Phone: +61 2 6257 7111
System Administrator - UID 0 Fax: +61 2 6257 7311
tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/
Attachment:
pgpbqPD_QviHU.pgp
Description: PGP signature