On Sun, Feb 17, 2002 at 10:26:28PM -0800, Ryan wrote: > This is a perl cgi script I wrote to allow me to have large html files on my > web host without exceeding my storage quota. > > I'd like it looked at, _I_ can no longer abuse it to run random commands or > go where I shouldn't, but that doesn't mean others can'. > > Any other feedback would also be great.
This is not a direct comment on your script, but will help in such situations. My suggestion: use perl's taint mode, which turns on a paranoid security system within the perl interpreter. Unsafe operations (such as opening a file whose name came from CGI input) remain possible, but must be specifically cleared by calls to the taint mechanism, which minimizes accidental security breaches. Highly recommended. See perlsec(1). -- Henry House The attached file is a digital signature. See <http://romana.hajhouse.org/pgp> for information. My OpenPGP key: <http://romana.hajhouse.org/hajhouse.asc>.
msg01550/pgp00000.pgp
Description: PGP signature
