week #9
You can take a look at a module approach to the data
parsing problem
by submitting the test form at
http://clam.clamcenter.org/MINK_TCP_COM/testparse_module.html. This program
is at http://clam.clamcenter.org/MINK_TCP_COM/parsedata_module.cgi, so feel
free to make your own forms submit to it. You might like to see the
CGI
code for that as well as the
ParseMe.pm
module it uses.
You can view a
page that displays its last five visitors but doesn't do much
else. You probably also want to see the
code for that.
For the time being, I am going to simply refer you to some cool
pages about security, including:
Please try to do the following tasks:
How did you do last week's
assignment?
Where can I learn about
writing secure CGI scripts?
You should also read the following print materials:
This is the guy who wrote CGI.pm, which we'll be learning about
next week!
This is the main page the above CGI information is taken from. Most of
this stuff is written from a server administrator's point of view,
but you should probably get an idea of the issues involved for future
use. Your specific responsibility at the moment is to "not write
dangerous CGI scripts that would cause a problem IF my server administrator
left holes open." That's covered in the previous specific section.
The basics of taint mode!
This talks about tainting. Pay special attention to the detailed
example on page 357. We'll be going over this tonight.
This talks about the basics of tainting.
Even if you have cleaned out all your tainted variables, it's still
a good idea to avoid passing them to the shell. This recipe tells
you how, with the "list of arguments" form of
system
and exec. It also describes how you might open a
pipe to a child process and then print directly to the child via
the pipe.
What should I do for next
week?
Comments? Questions? General harassment? Mail it to
mcovingt@staff.uiuc.edu