Re: Guidelines for cgi-bin scripts

[angio () aros net (Dave Andersen)]

Lo and behold, Lee Silverman once said:

> For example, if someone gave you a cgi-bin script and asked you to tell
> them if it was going to cause any security holes, what would you look for?

   Check for any use of the system() call, or an open() which allows user
inputtable data.  So if you're letting them select a filename, or finger,
or anything similar, be paranoid.  This can be avoided easily in perl
with the open(BLAH, "-|") || exec 'command', 'arg1', 'arg2'; syntax, or
in C by using your own fork/exec instead of just system'ing.  With shell
scripts, it applies to all commands and things like
finger_info=`finger $username`  .  If you're going to use this syntax,
you'd best sanitize the daylights out of the user accepted data. :)

   The other security concerns are in scripts/programs which are suid and
rely upon environment variables.. it's crucial that you prevent a user
from executing it on their own with their own environment variables.
Perl is nice that way, in that it deems all environment variables
"tainted" unless you sanitize them, but common sense is still pretty
necessary.

   Other little things:  Make sure your data structures can't be overrun
by an incredibly large amount of data.  Most of the time you'll just
crash, but someone could get clever, I suppose.  Ahh.. *shrugs*

    -Dave Andersen
---
angio () aros net  system administration
Blah blah, my opinions are my own, etc.