Module submission CGI::Safe

Wed, 28 Nov 2001 11:57:55 -0800 


The following module was proposed for inclusion in the Module List:

  modid:       CGI::Safe
  DSLIP:       bdphp
  description: Safer method of using CGI.pm.
  userid:      OVID (Curtis "Ovid" Poe)
  chapterid:   15 (World_Wide_Web_HTML_HTTP_CGI)
  communities:
    www.perlmonks.org, consultation with Lincoln Stein,
    comp.infosystems.www.authoring.cgi

  similar:
    None known.

  rationale:

    If you've been working with CGI.pm for any length of time, you know
    that it allows uploads by default and does not have a maximum post
    size. Since it saves the uploads as a temp file, someone can simply
    upload enough data to fill up your hard drive to initiate a DOS
    attack. To prevent this, we're regularly warned to include the
    following two lines at the top of our CGI scripts:

    $CGI::DISABLE_UPLOADS = 1; # Disable uploads $CGI::POST_MAX = 512 *
    1024; # limit posts to 512K max

    As long as those are their before you instantiate a CGI object (or
    before you access param and related CGI functions with the function
    oriented interface), you have pretty safely plugged this problem.
    However, most CGI scripts don't have these lines of code.

    This module is a subclass of CGI.pm that automatically takes care
    of that and also deletes unsafe environment variables.

    delete @ENV{ qw/ IFS CDPATH ENV BASH_ENV PATH SHELL / };

    It also provides methods for retrieving the original SHELL and
    PATH, if needed. These variables are left tainted.

    Future releases are intended to simplify process of untainting form
    data and cookies.

  enteredby:   OVID (Curtis "Ovid" Poe)
  enteredon:   Wed Nov 28 19:57:55 2001 GMT

The resulting entry would be:

CGI::
::Safe            bdphp Safer method of using CGI.pm.                OVID


Thanks for registering,
The Pause Team

PS: The following links are only valid for module list maintainers:

Registration form with editing capabilities:
  
https://pause.perl.org/pause/authenquery?ACTION=add_mod&USERID=25200000_f4ee5e2bdd473241&SUBMIT_pause99_add_mod_preview=1
Immediate (one click) registration:
  
https://pause.perl.org/pause/authenquery?ACTION=add_mod&USERID=25200000_f4ee5e2bdd473241&SUBMIT_pause99_add_mod_insertit=1

Reply via email to