--- ***** <*****@*****.*****> wrote:
[snip]...
> p.s.: I read to use the -wT flags for security reasons
> as well as strict to inforce good programming habits.
> your Thoughts on that issue are.....?
I received this email a couple of days ago and I thought I should respond to the group
since the
"PS" is a good question.
The -w switch, often used on the shebang line (e.g. #!/usr/bin/perl -w), turns on
warnings. These
warnings will let you know when you try to use unitialized vales, non-numeric
characters in
mathematical operations, etc. These warnings are written to the STDERR filehandle.
In the case
of CGI scripts, they will be written to the Web server's error log. It's very
important to read
this log and find these warnings. More often than not, they'll point to an issue that
should be
resolved. However, once the warnings are resolved, code moved into production should
have
warnings turned off. Enabling warnings not only slows the program slightly, but often
causes many
entries to be added to the error log which don't need to be there.
The -T switch turns on taint checking. When taint checking is turned on, Perl
considers any data
from outside of the program to be tainted and will kill your program rather than allow
this data
to be used in an unsafe manner. For the most part, an "unsafe manner" means "anything
that Perl
thinks might affect a change in its environment."
For example, the following snippet will run fine:
#!/usr/bin/perl -wT
use strict;
use CGI qw/:standard/;
my $file = param( 'somefile' );
open FILE, "< $file" or die "Can't open $file for reading: $!";
The above runs fine under taint mode because Perl doesn't think reading a file will
cause a
problem. The following snippet will kill the program:
#!/usr/bin/perl -wT
use strict;
use CGI qw/:standard/;
my $file = param( 'somefile' );
open FILE, "> $file" or die "Can't open $file for writing: $!";
If you look carefully, you'll notice that the '<' was changed to a '>'. By obtaining
$file from
outside of the program (probably from an HTML form in this case), Perl, in taint mode,
considers
the data tainted. Since this variable specifies a file name to *write* to (thus
changing things),
Perl will not allow the operation to proceed. This is a Good Thing!
To use tainted data, you have to extract what you need with a regular expression
backreference.
See http://www.perldoc.com/perl5.6/pod/perlsec.html for more details.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
