PATH
, which determines where your CGI program will search for the programs
you tell it to run, a malicious user might trick your program into thinking it was
calling a harmless program while it was actually calling a very dangerous one.
For this reason, perl provides the -T
flag, which implements two forms of
taint checks. The first insures that you have actively set your PATH
variable to some fixed value; on UNIX systems, a safe choice is usually
$ENV{PATH} = "/bin:/usr/bin";
The second form of taint checking can be summarized as follows: Any variable which
is constructed from outside sources must be reset by referencing a tagged pattern
of a regular expression search. Notice that perl doesn't (and probably can't)
check that the tagged expression is doing something worthwhile; it simply forces
you to think about the problem, and apply a (hopefully) useful solution. This is
usually very simple. For example, suppose we are accessing some information about
a product name, which we are going to use to open a file constructed from that
name. An unscrupulous user might manage to enter a name like ``rm *|
'' -
if we blindly pass that string to the open command, it could possibly
remove many files. So before using any information garnered from outside sources
in a perl program, you should carefully determine what characters you are willing
to accept in that information, and either eliminate the others, or print a (stern)
warning message that such strings are unacceptable in your program. If you only
wanted alphanumeric data, you could use code like this:
if($product_name =~ /^(\w+)/){ $product_name = $1; } else{ print "Illegal characters encountered in product name\n"; }To accept characters which are legal in email addresses, you might untaint input like this:
if($email_address =~ /^([-\@\w.]+)/){ $email_address = $1; } else{ print "Illegal characters encountered in email address\n"; }