![](/WDVL/Website/Design/images/spacer.gif) |
CGI Security
CGI Security
- Okay, so security looms over every
webmaster shoulder like...like...like a big scary looming
thing.
- As we saw in the pre-requisite article
"Introduction to Web
Programming 101", there is no such thing as
a fool-proof CGI script or a safe web
server.
- The minute you give the world access to
your inner world is the minute that you introduce security holes.
There is no program web-based or not, that does not introduce a
security risk.
- However, since most webmasters find it
essential to expand their services to include CGI, most webmasters
are ready to take an intelligent risk with their CGI scripts.
- In other words, though you can never be
totally safe, you can certainly make yourself as safe as it
gets!
- In most cases, that means that though a
CGI might get hacked, the hacker could not do much damage.
- The first rule of CGI security is to use
one of the standard safe libraries for reading and parsing form
input. These include cgi-lib.pl for Perl 4 and 5 or cgi.pm for
Perl 5.
- These libraries have been around for
years and have been tested millions of ties by users in every
imaginable environment. They have gone through many revisions
from learned experience and take precautions for all sorts of
little buggers that you may not think about if you started
writing a form handler yourself.
- However, once you have read and parsed
form data, you must also pay attention to how that data is used
and make sure that you do not create a security hole in the data
handling.
- There are two primary considerations for
writing safe CGI scripts as discussed by Lincoln Stein in his
SafeCGI presentation.
These are checking user input and restricting system calls.
Additional Resources:
Debugging CGI Scripts
Table of Contents
Introduction to Web Programming
| ![](/WDVL/Website/Design/images/spacer.gif) |
|