[VPM] alternative to perl's Open?

Malcolm Dew-Jones yf110 at victoria.tc.ca
Tue Sep 7 11:36:25 CDT 2004

On Tue, 7 Sep 2004, Carl B. Constantine wrote:

> A recent hack here at UVic caused no end of grief for system staff. We
> managed to shut the cracker down, but not before quite a bit of damage
> was done to 75 web pages.
> The exploit took advantage of a perl CGI script that used the Open
> command.

1. perl -T  (taint mode)  should always be used for cgi scripts

2. from perdoc -f open

	Use 3-argument form to open a file with arbitrary weird characters
	in it,

	    open(FOO, '<', $file);

3. sysopen

4. When validating file names (for taint mode) it is probably better
   to determine what is allowed and check the name is 100% valid, because
   it is usually easier to know ahead of time what is good than what might
   be bad.  Then, if paraniod, also check for illegal things in the name.

More information about the Victoria-pm mailing list