ch19_05.htm

By Tom Christiansen and Nathan Torkington ISBN 1-56592-243-3 First Edition, published August 1998

<HTML
><HEAD
>
<TITLE>Recipe 19.4. Writing a Safe CGI Program (Perl Cookbook)</TITLE>
<META
NAME="DC.title"
CONTENT="Perl Cookbook"><META
NAME="DC.creator"
CONTENT="Tom Christiansen &amp; Nathan Torkington"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1999-07-02T01:45:27Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-243-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch19_01.htm"
TITLE="19. CGI Programming"><LINK
REL="prev"
HREF="ch19_04.htm"
TITLE="19.3. Fixing a 500 Server Error"><LINK
REL="next"
HREF="ch19_06.htm"
TITLE="19.5. Making CGI Scripts Efficient"></HEAD
><BODY
BGCOLOR="#FFFFFF"><img alt="Book Home" border="0" src="gifs/smbanner.gif" usemap="#banner-map" /><map name="banner-map"><area shape="rect" coords="1,-2,616,66" href="index.htm" alt="Perl Cookbook"><area shape="rect" coords="629,-11,726,25" href="jobjects/fsearch.htm" alt="Search this book" /></map><div class="navbar"><p>
<TABLE
WIDTH="684"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch19_04.htm"
TITLE="19.3. Fixing a 500 Server Error"
><IMG
SRC="../gifs/txtpreva.gif"
ALT="Previous: 19.3. Fixing a 500 Server Error"
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="228"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
><A
CLASS="chapter"
REL="up"
HREF="ch19_01.htm"
TITLE="19. CGI Programming"
></A
></FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch19_06.htm"
TITLE="19.5. Making CGI Scripts Efficient"
><IMG
SRC="../gifs/txtnexta.gif"
ALT="Next: 19.5. Making CGI Scripts Efficient"
BORDER="0"></A
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="sect1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="ch19-37435"
>19.4. Writing a Safe CGI Program</A
></H2
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch19-pgfId-350"
>Problem<A
CLASS="indexterm"
NAME="ch19-idx-1000005425-0"
></A
><A
CLASS="indexterm"
NAME="ch19-idx-1000005425-1"
></A
></A
></H3
><P
CLASS="para"
>Because CGI programs allow external users to run programs on systems they would not otherwise have access on, all CGI programs represent a potential security risk. You want to minimize your exposure.</P
></DIV
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch19-pgfId-356"
>Solution</A
></H3
><UL
CLASS="itemizedlist"
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-358"
></A
>Use taint mode (the <B
CLASS="emphasis.bold"
>-T</B
> switch on the #! line).</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-360"
></A
>Don't blindly untaint data. (See below.)</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-362"
></A
>Sanity-check everything, including all form widget return values, even hidden widgets or values generated by JavaScript code. Many people na飗ely assume that just because they tell JavaScript to check the form's values before the form is submitted, the form's values will actually be checked. Not at all! The user can trivially circumvent this by disabling JavaScript in their browser, by downloading the form and altering the JavaScript, or quit by talking HTTP without a browser using any of the examples in <A
CLASS="xref"
HREF="ch20_01.htm"
TITLE="Web Automation"
>Chapter 20, <CITE
CLASS="chapter"
>Web Automation</CITE
></A
>.</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-366"
></A
>Check return conditions from system calls.</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-368"
></A
>Be conscious of race conditions (described below).</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-370"
></A
>Run with <B
CLASS="emphasis.bold"
>-w</B
> and <CODE
CLASS="literal"
>use</CODE
> <CODE
CLASS="literal"
>strict</CODE
> to make sure Perl isn't assuming things incorrectly.</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-372"
></A
>Don't run anything setuid unless you absolutely must. If you must, think about running setgid instead if you can. Certainly avoid setuid root at all costs. If you must run setuid or setgid, use a wrapper unless Perl is convinced your system has secure setuid scripts and you know what this means.</P
></LI
><LI
CLASS="listitem"
><P
CLASS="para"
><A
CLASS="listitem"
NAME="ch19-pgfId-374"
></A
>Always encode login passwords, credit card numbers, social security numbers, and anything else you'd not care to read pasted across the front page of your local newspaper. Use a secure protocol like SSL when dealing with such data.</P
></LI
></UL
></DIV
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch19-pgfId-378"
>Discussion</A
></H3
><P
CLASS="para"
>Many of these suggestions are good ideas for any program &nbsp;-  using <B
CLASS="emphasis.bold"
>-w</B
> and checking the return values of your system calls are obviously applicable even when security isn't the first thing on your mind. The <B
CLASS="emphasis.bold"
>-w</B
> switch makes Perl issue warnings about dubious constructs, like using an undefined variable as though it had a legitimate value, or writing to a read-only filehandle.</P
><P
CLASS="para"
>Apart from unanticipated shell escapes, the most common security threat lies in forged values in a form submission. It's trivial for anyone to save the source to your form, edit the HTML, and submit the altered form. Even if you're certain that a field can return only <CODE
CLASS="literal"
>&quot;yes&quot;</CODE
> or <CODE
CLASS="literal"
>&quot;no&quot;</CODE
>, they can always edit it up to return <CODE
CLASS="literal"
>&quot;maybe&quot;</CODE
> instead. Even fields marked as type <CODE
CLASS="literal"
>HIDDEN</CODE
> in the form can be tampered. If the program at the other end blindly trusts its form values, it can be fooled into deleting files, creating new user accounts, mailing password or credit card databases, or innumerable other malicious abuses. This is why you must never blindly trust data (like prices) stored in hidden fields when writing CGI shopping cart applications.</P
><P
CLASS="para"
>Even worse is when the CGI script uses a form value as the basis of a filename to open or a command to run. Bogus values submitted to the script could trick it into opening arbitrary files. Situations like this are precisely why Perl has a taint mode. If a program runs setuid, or else has the <B
CLASS="emphasis.bold"
>-T</B
> switch active, any data coming in through program arguments, environment variables, directory listings, or a file, are considered tainted, and cannot be used directly or indirectly to affect the outside world.</P
><P
CLASS="para"
>Running under <A
CLASS="indexterm"
NAME="ch19-idx-1000005440-0"
></A
>taint mode, Perl insists that you set your path variable first, even if specifying a complete pathname when you call a program. That's because you have no assurance that the command you run won't turn around and invoke some other program using a relative pathname. You must also untaint any externally derived data for safety.</P
><P
CLASS="para"
>For instance, when running in taint mode:</P
><PRE
CLASS="programlisting"
>#!/usr/bin/perl -T
open(FH, &quot;&gt; $ARGV[0]&quot;) or die;</PRE
><P
CLASS="para"
>Perl warns with:</P
><PRE