tachyon has asked for the wisdom of the Perl Monks concerning the following question:
If you wish to allow users to enter a search term and use Perl's internal grep function to search an index file is this script a secure way to do it? By using quotemeta on the user input I can not see how you can hack this, even though the untainting of the user search term is global to allow searching for strings other than pure alphanumberic. I am worried about the interpolation into the grep. Can anyone see security holes?
#!/usr/bin/perl -wT use strict; use CGI; use Fcntl (':flock'); # clean up the environment for CGI use BEGIN { delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{'PATH'} = '/bin:/usr/bin:'; } $CGI::DISABLE_UPLOADS = 1; $CGI::POST_MAX = 1024; my $query = new CGI; my $db_file = 'c:/test.pl'; my $flock = 1; my $timeout = 15; my $find = $query->param('search'); $find = quotemeta $find; $find = ($find =~ m/^(.+)$/) ? $1 : ''; die_nice("Please specify a search term!") unless $find; # get the data into an array, retrun a reference to that array my $data_ref = get_data($db_file); # do the search my @lines = grep{ /$find/i }@$data_ref; # do something with @lines
cheers
tachyon
s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
Back to
Seekers of Perl Wisdom