Taint Mode
As
I mentioned already,
security is going to be a big
concern with this script. Right from the beginning, though,
we’ve brought out the heavy artillery, courtesy of Perl’s
-T
shebang-line switch:
#!/usr/local/bin/perl -Tw
This switch (which is lumped together with the -w
warnings switch we’ve been using for a while now) is a very
useful tool for making our CGI scripts more secure. The
-T switch turns on Perl’s built-in
taint mode. Perl’s taint mode is designed
to make it easier to track which of the data our script is working
with has come from an untrusted source, and fix that data so that it
can’t do anything we don’t like. Specifically, taint mode
has the following effects:
Any data obtained by our script from the outside world (meaning anywhere other than the script itself) is considered
tainted.Any variable that is modified in an expression that contains tainted data becomes tainted itself.
Tainted data may not be used by our script to take certain kinds of actions that would affect the outside world (writing to a file, for example).
In essence, taint mode makes our script paranoid. It doesn’t trust anything the outside world tells it, and it won’t take certain kinds of actions based on that information. Instead, it will die with an error message if it catches us trying to do something it considers unsafe. The hoops we have to jump through to overcome this tainting process are a bit of a pain, but they are in fact a really good thing, since they force us to pay ...
Get Perl for Web Site Management now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
