On Tue, Aug 20, 2013 at 11:39 AM, Kevin C. Krinke <ke...@krinke.ca> wrote:
> Hi all, > > I've just noticed (yes, I've been way out of the loop on my own projects > for far too long) the user reviews of my module UI::Dialog. > > In particular: http://cpanratings.perl.org/user/avian > What really spoils the good impression is that it's full of security > issues. Don't use for displaying any untrusted strings as it is trivial to > trick the module into executing arbitrary shell commands. I like using Tie::Function for providing interpolation-time sanitization for data that is to get interpolated. One could do something like this: use Tie::Function; tie our %SE, 'Tie::Function', sub {"\Q$_[0]\E"}; # Shell Escape and then whenever the module does a system call, wrap the tainted variables. That is, if you've currently got something like system("$command $arg1 $arg2"); # suboptimal, but works for this example that would become, assuming $command is coder-provided and the args are from the user, system("$command $SE{$arg1} $SE{$arg2}"); This approach also works well for entity-encoding data that goes in hidden field value elements in HTML forms, and preventing other types of code injection.