Perl Programming

Perl Programming
Taint
Never trust user input User input should be considered "tainted" with evil Always test user input for validity before using it Perl will require input validation if given the `-T` flag on the compiler line Simple untainting example is below CGI version follows on next slide, with its results #!/usr/athena/bin/perl -T use strict; use warnings; # Prompt and get user input print "Finger whom? "; my $user = <>; # Untaint user input if ($user =~ /^(\w*)$/) { $user = $1; } else { die "Illegal username"; } # Make path safe $ENV{'PATH'} = '/bin:/usr/bin:/usr/athena/bin/'; # Command is now safe my $output = `finger $user`; print "$output\n";
Previous	http://stuff.mit.edu/iap/perl/	Next

Taint

Never trust user input

User input should be considered "tainted" with evil
Always test user input for validity before using it
Perl will require input validation if given the -T flag on the compiler line
Simple untainting example is below
CGI version follows on next slide, with its results

        #!/usr/athena/bin/perl -T
        use strict;
        use warnings;

        # Prompt and get user input
        print "Finger whom? ";
        my $user = <>;

        # Untaint user input
        if ($user =~ /^(\w*)$/) {
             $user = $1;
        } else {
             die "Illegal username";
        }

        # Make path safe
        $ENV{'PATH'} = '/bin:/usr/bin:/usr/athena/bin/';

        # Command is now safe
        my $output = `finger $user`;
        print "$output\n";