[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CGI Perl Security



Tamas TEVESZ <ice@extreme.hu> wrote:
> 
> DOCUMENT_ROOT is set by the server, so it's just unneccessary
> overhead. you can of course do that, but if you don't trust your
> webserver, why are you running it at the first place ? :>

If you don't have taint mode on when coding perl scripts that must run in
hostile environments (eg. CGIs), you're an idiot, and you're going to have
problems sooner or later.

If you *do* have taint mode on, then you need to untaint everything you want
to use, including environment variables that you would normally trust anyway.
-- 
Sam Couter          |   Internet Engineer   |   http://www.topic.com.au/
sam@topic.com.au    |   tSA Consulting      |
OpenPGP key ID:       DE89C75C,  available on key servers
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

Attachment: pgpvLJgAysjK9.pgp
Description: PGP signature


Reply to: