If you aim at safe Perl CGIs I suggest the following: (1) upgrade to Perl 5: Perl 4 has known security holes (2) use -T (taint) option of Perl: suspect data sources abort the script (3) use -w and "use strict;" to catch other bugs (4) Perl 5 has oodles of ready CGI modules, some of which you can use as-is and some as building blocks: leverage from existing codebase (5) with perl5 comes doc page called perlsec that tells, ta-dah, about writing secure Perl (6) you can be really paranoid with Perl 5 module called Safe in which you can limit the operations the Perl script can do: e.g. it cannot do any file I/O or you can trap operations (for example to check for their arguments' sanity): the Perl script is run in a "safe compartment", sort of chroot() for "Perl op hierarchy". http://www.perl.com/CPAN/src/latest.tar.gz always contains the latest stable Perl maintenance release as source code -- $jhi++; # http://www.iki.fi/~jhi/ # There is this special biologist word we use for 'stable'. # It is 'dead'. -- Jack Cohen
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:33 PDT