Phoenix.pm: So, what are the merits of -T on CGI scripts?

EdelSys Consulting edelsys at edelsys.com
Thu Sep 2 17:28:28 CDT 1999


At 05:36 PM 09/02/1999 EDT, you wrote:
>What switches do y'all use and why for your CGI scripts...
>
>Tim
>

-T forces you to examine any data coming in from the "outside",
or going to the "outside" (via system, to the shell, for example),
and decide what to do with it.  Typically, what you do is run the
"outside" data through an untaint function, like this:

sub untaint

{ my($taint)=@_;

  my $untaint =  $taint;

  $untaint    =~ s/\.\.//g;
  $untaint    =~ s/\+/ /g;
  $untaint    =~ s/\;//g;
  $untaint    =~ s/\&//g
  $untaint    =~ s/\|//g;
  $untaint    =~ s/\>//g;
  $untaint    =~ s/\<//g;
  $untaint    =~ s/\?//g;
  $untaint    =~ s/\*//g;
  $untaint    =~ s/\]//g;
  $untaint    =~ s/\[//g;
  $untaint    =~ s/\'//g;
  $untaint    =~ s/\"//g;
  $untaint    =~ s/\,//g;

  $untaint    =~ /^(.*)$/s;
  $untaint    = $1;

  return($untaint); }

These two lines

  $untaint    =~ /^(.*)$/s;
  $untaint    = $1;

are what actually remove the taint flag from
the variable.  The other lines are just removing
"questionable" characters (e.g. shell metacharacters)
from the variable.

Tony

--
--  Anthony R. Nemmer 
--  http://www.swlink.net/~edelsys -- edelsys at swlink.net
--
--  EdelSys Consulting
--  http://www.edelsys.com/ -- edelsys at edelsys.com
--  
--  EFNet IRC Teratogen -- ICQ #14638605 -- edelsys at hotmail.com
--  (480) 968-6438 -- P.O. Box 1883, Tempe, Arizona 85280-1883
--




More information about the Phoenix-pm mailing list