Home arrow Perl Programming arrow Page 4 - Writing Secure CGI Scripts

Untainting data&toc - Perl

One area often overlooked in CGI programming is security. In this article Pete looks at common flaws in CGI scripts and how to fix them with Perl's taint mode, by filtering user input and more.

TABLE OF CONTENTS:
  1. Writing Secure CGI Scripts
  2. Why should I care about security?
  3. Shell processing
  4. Untainting data
By: Pete Smith
Rating: starstarstarstarstar / 6
May 30, 2002

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement
As we've already seen, tainted-ness follows a variable - even if it's value is assigned to another variable. There is, however, one way to untaint data - by matching with a regex.

$something =~ /^([\w.]+)$/;
$cleanvariable = $1;


Here we specify that $something must contain only letters, numbers, underscore, whitespace, or period. The ^ and $ which force the regex to start and finish with one of these 5 characters.

We've also included the [\w.] in braces, allowing us to make use of the $1, $2, $3 etc shortcuts. In our example $1 contains the whole value of $something (assuming it *did* only contain letters, numbers, underscores, white space, or periods).

We can shorten this a little further...

($cleanvariable) = $something =~ /^([\w.]+)$/;

... since the regex returns the $1, $2, $3 etc variables as a list.

The beauty of taint is that it considers all user input to be unsafe by default, but easily allows us to untaint a variable using a simple regex. Forcing us to perform a pattern match on the variable stops lazy habits from putting our security at risk, and makes us think a little more carefully about just what we expect to find in that data: even though it is not a security risk, it is still good practice to reject a telephone number if it contains letters.

At first you will find taint mode rather frustrating - your script will die for so many extra reasons, but after a while you will find it second nature to think secure, and you scripts will be a lot better for it.

 
 
>>> More Perl Programming Articles          >>> More By Pete Smith
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

PERL PROGRAMMING ARTICLES

- Perl Turns 25
- Lists and Arguments in Perl
- Variables and Arguments in Perl
- Understanding Scope and Packages in Perl
- Arguments and Return Values in Perl
- Invoking Perl Subroutines and Functions
- Subroutines and Functions in Perl
- Perl Basics: Writing and Debugging Programs
- Structure and Statements in Perl
- First Steps in Perl
- Completing Regular Expression Basics
- Modifiers, Boundaries, and Regular Expressio...
- Quantifiers and Other Regular Expression Bas...
- Parsing and Regular Expression Basics
- Hash Functions

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: