The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Perl CGI security?

Is there a way or possibility that a perl script/source code be viewed on the browser. Probably due to apache too much busy processing. Or anything else? Do you know of any common security issues/scenarios?

Tuesday, September 06, 2005
use ftp.
slava Send private email
Tuesday, September 06, 2005
If the webserver isn't properly set up to treat your .pl and/or .cgi files as CGIs, it will display them as text.

If the handler is properly in place for the filetype, though, and the scripts/directories are executable, the source code of the script won't be shown to the user.
Tuesday, September 06, 2005
Common security issues are the webserver allowing scripts to be owned by/run as root (CGIwrap is a good preventative measure to put in place for that), or the CGI is written insecurely and allows someone to exploit it (all the Matt's Script Archive CGIs from the early days of the internet come to mind).
Tuesday, September 06, 2005
Another script might allow you to pass in a filename, and it spits out the contents. So you could pass the filename of one of the .pl scripts.
Tuesday, September 06, 2005
The OP probably has a client who is worried that somehow a vistor might see the perl code. Ordinarily this can't happen.

I guess you could imagine some incredibly misconfigured sever that was sending out the script contents rather than running them.

By the way check out perl's taint mode for CGI scripts. It's a great method of making your script really secure.
Sheldon Lavine
Tuesday, September 06, 2005
This shouldn't happen if your web server is properly configured, but I've seen it on a few occasions on the internet when somebody screwed up.

There's a lot to be said for keeping your application somewhere safe outside the webroot (preferably in its own modules), then just putting only a little bit of code in your script to call it and process the request.

This is the approach you would normally take if you use the CGI::Application module as the base to create your CGI's.

That way you end up with a CGI script something like this, which wouldn't give too much away even if somebody did manage to pants up their Apache settings:


use lib '/path/to/my/application/modules';
use strict;
use MyApplication::MyForm;

my $app = new MyApplication::MyForm;
Tuesday, September 06, 2005

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz