[tpm] securing a CGI program from malicious user data

Fulko Hew fulko.hew at gmail.com
Wed Feb 18 11:39:43 PST 2009


Problem:

I'm providing a mechanism so that a system can be configured
to 'run' executables on remote machines based on configuration
information submitted in a CGI text field.

Obviously I don't want to allow the user to trash the system.

I'm going to:

1/ restrict the system to allow it to only execute 'trusted' apps
   located in a 'known' directory. (can I make a chroot jail in Perl/CGI?)

2/ strip characters from the invocation string that could be used to hurt
me:
    semicolon - because another malicious command could follow
    backtic   - because that could run another program
    ( )       - because that could invoke a sub-shell to run ...
    |         - because that could invoke ...
    &         - because other stuff might follow
    >         - because that could clobber an important file

    any \0xxx string that represents any of the above 'nasty' characters.

Tainging only talks about the concept, not what to de-taint.

- Are there any other things I should check for/prevent?
- Is there any standard/common resource on the web that you
  know of that talks about this (that I haven't found yet)?

TIA
Fulko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20090218/dc6a9ad7/attachment.html>


More information about the toronto-pm mailing list