[Pdx-pm] local extractor for CGI::Untaint
Ovid
publiustemp-pdxpm at yahoo.com
Fri Apr 8 13:11:11 PDT 2005
--- John Springer <techdude at dpo.org> wrote:
> my module is in /usr/www/users/orygun/cgi-bin/MyUntaint
> (and cgi-bin is in @INC).
Hi John,
In addition to chromatic's comment, I'd just like to point out that you
do not want your modules in cgi-bin, assuming that this is your Web
server's cgi-bin directory. What happens when someone types this?
http://somehost/cgi-bin/MyUntaint/digit.pm
Will your Web server deny that? Serve it as plain text? Try to
execute it? You can remove all questions about that by moving modules
to a separate directory from which content and code will not be served.
Not only is this safer, it makes for a more logical code organization.
Even if your Web server is currently set up to prevent any of these
problems, an upgrade or change in the configuration can again expose
the vulnerability. Moving your modules eliminates this concern.
Cheers,
Ovid
--
If this message is a response to a question on a mailing list, please send
follow up questions to the list.
Web Programming with Perl -- http://users.easystreet.com/ovid/cgi_course/
More information about the Pdx-pm-list
mailing list