Perl Security

[jkrohn]

I have taken on the process of providing an online application process for my employer.

As far as security for my perl backend, what should I have?

Setup:

They fill out an online form, submit via POST where the variables are put in a hash and emailed out to an account using sendmail with the info they passed in.

Security:
1) if they submit via GET, the script does nothing. Everything is conditional on POST
2) HTTP_REFERRER is restricted to our specific server.
3) Max lengths assigned to every variable coming in from the form.
4) each $value from $has{$key}=$value is checked agaisnt all checkes found here.

http://krohn.dhs.org:200/parse.txt

**Note, not my scripts but I did use his checking/stripping **

Anything else i'm missing? Other things I should be doing?

Jkrohn

[wadeintothem]

Hi,

Did you use -T at the end of your shebang line? This also helps with security.


I'm not sure what form parsing you are using, but if I'm really paranoid about a script (sometimes I do scripting for a gaming club and the like and you gotta becareful with the 13 y/o busy bodies I dont use an html form, I put make the form as a subroutine of the script, spell out each variable specifcially (as opposed to processing generically all variables submitted like:

foreach ($FORM{'$variable'}) { print MAIL.. etc .. - I know this left is not a good example but hopefully you know what I mean.

Then I put the script into a small invisible footer frame and add the following to the header:

<script Language="JavaScript">
if (window == top) {
top.location.href = \"http://www.yoursitehere.com\";
}
</script>

and then add an anti-right click thing.. to make it difficult to obtain the Value's name..

I do that in addition to what you listed.. and only in my most paranoid state .. if it was just Joe Company Contact form, I would just do it your way. Anyway, i'm not sure my thing would help against a good hacker, but it always made me feel better.