www.perl.com
Perl Programming
Taint
  • Never trust user input
    • User input should be considered "tainted" with evil
    • Always test user input for validity before using it
    • Perl will require input validation if given the -T flag on the compiler line
    • Simple untainting example is below
    • CGI version follows on next slide, with its results

        #!/usr/athena/bin/perl -T
        use strict;
        use warnings;

        # Prompt and get user input
        print "Finger whom? ";
        my $user = <>;

        # Untaint user input
        if ($user =~ /^(\w*)$/) {
             $user = $1;
        } else {
             die "Illegal username";
        }

        # Make path safe
        $ENV{'PATH'} = '/bin:/usr/bin:/usr/athena/bin/';

        # Command is now safe
        my $output = `finger $user`;
        print "$output\n";
      
Previous http://stuff.mit.edu/iap/perl/