Beginning Perl Web Development - From Novice To Professional (2006)

print "Content-type: text/html\n\n";

$dbi->connect();

print "hi";

In the example shown in Listing 1-15, Carp logging is set up. Then the rest of the CGI continues. I purposely call an undefined $dbi->connect() method to produce an error. When viewed through a browser, this causes a fatal error, and the “hi” never gets printed to the client’s browser. However, the following line is now inside the carperror.log file:

Can't call method "connect" on an undefined value

at /usr/lib/cgi-bin/perlbook/chap1/isecarp.cgi line 14.

The Carp module enables other debugging options as well. Use perldoc, the Perl documentation program, to look up further information on CGI::Carp, by typing the following:

perldoc CGI::Carp

Other Troubleshooting Tips

The following are some other tips for debugging and troubleshooting:

•Check the permissions on the program. Many times, the permissions are set incorrectly. The correct permissions are usually set as rwxr-xr-x, which corresponds to octal 755. You should never set the permissions to rwxrwxrwx, or octal 777. See the next section on security for more information.

•Check the ownership of the program. On systems that use the suEXEC feature, the ownership must exactly correspond to the ownership set up in the Apache configuration file. If it doesn’t, the program won’t run and errors will be sent to the log file.

•Check log files! One of the strongest points of open-source software is logging. Examining the Apache error log is almost always helpful.

Security Considerations with CGI Programs

CGI programs and their security have been much maligned over the years. However, by themselves, CGI programs usually present no more of a security risk than any other application that can be run by anyone in the world, all things being equal. Of course, the fact that the CGI script can be run by anyone visiting the web site makes the security of the program and the server particularly important.

A competent system administrator can secure a CGI environment in such a way as to make up for many kinds of programmer mistakes. That said, CGI programmers are not relieved of the duty to make their programs safe. This section examines some of the security considerations when creating a CGI application.4

4.This section does not examine security of the server itself. Such things are best left to other titles such as Hardening Apache by Tony Mobily (Apress, 2004).

32 C H A P T E R 1 ■ T H E C G I M O D U L E

File Permissions

Too often, I’ve seen CGI programs that have improper permissions on the web server. When something goes wrong in the CGI application, some programmers immediately blame server settings and go overboard by changing the permissions on the application to the widest, most open, and insecure setting of all: chmod 777. This permission enables any local user to overwrite and, yes, delete the application. While you may not think that anyone would do this, it takes only one inadvertent command by one lowly newbie to wipe out the application.

CGI permissions should be 755 (rwxr-xr-x), 775 (rwxrwxr-x), or even more restrictive in certain circumstances. By no means should “other” or “world” be given write permission on

a CGI script.

Taint Mode

Although very simple, the examples in this chapter have all included two things that you as a CGI programmer can do to help make your program more secure. The first is using the -T

option when invoking the Perl interpreter. The other is using the strict pragma, as described in the next section.

The -T option enables Perl’s taint mode, whereby untrusted input into your program will not be allowed to perform certain operations, such as interaction with the system, writing to files, and so on. In a way, this option saves you from yourself. A simple mistake using tainted data can result in a malicious user being able to execute a system process or gain access to areas they are not authorized to enter.

Data is untainted by running it through a regular expression, and the -T option prevents the use of untrusted input. This means that only acceptable data will be allowed within the script once it passes through the regular expression. For example, the script in Listing 1-4 looks for input from the user through a form variable. This input consists of a person’s name. Therefore, it would be a fair assumption that the only acceptable input consists of letters, maybe alphanumeric values, and possibly an apostrophe (though you would be surprised at how many applications break if an apostrophe is included as input). If you wanted to untaint the name parameter as it came into the script, you might do something like this:

my $name = param('name');

if ($name =~ /^\w+('\w+)?$/) { $name = $1;

} else {

warn "Bad data found in $name"; $name = "";

}

The code essentially looks for any number of word characters, followed by an optional apostrophe, followed by any number of alphanumeric values. If this matches, the resulting $1 variable is assigned to $name. If this doesn’t match, a warning is sent to the log file, and $name is set to nothing.

Using taint mode will likely seem like a hassle, but it will certainly make your application safer. I recommend making a function to untaint regularly used inputs. For example, it’s quite common to untaint the same types of data repeatedly, such as names, telephone numbers, domain names, e-mail addresses, and so on. Creating a function and then calling that function to untaint the data is usually simplest.

Also, a number of existing Perl modules are available on CPAN (http://www.cpan.org/) to assist in the process of untainting data. Helpful routines include ones to untaint and check the validity of e-mail addresses, IP addresses, and credit cards. If you’re writing a CGI application that requires untainting, don’t reinvent the wheel. Instead, leverage these modules in your application.

Taint mode is a runtime option. This effectively means that you might not find out about the tainted use of a variable until that variable is used within the program for an unsafe operation. The only way to find these types of issues if they are hidden is to test the program before release.

Strictness

The use strict; statement, included in the scripts in this chapter, is something that, as a Perl developer, you should be using in all of your scripts, not just CGI programs. When you include this line in your code, the Perl interpreter will look for variables and functions that have not been predeclared or variables that are out of scope.

The use strict; directive is a compile-time option. This means that any such errors will be caught immediately when the program runs. This is in contrast to a runtime option such as taint checking, which will cause an error only when a tainted variable is encountered.

Untrusted Data from Forms

One of the most common mistakes historically with CGI programs is the use of untrusted data in an application. The problem usually begins by passing hidden form variables between forms in the application, and then taking some action based on this data without doing some sanity checking on the data itself. Shopping cart programs have been broken in this way, as have other applications. The problem isn’t limited to Perl-based CGI applications; any application that relies on user input could fall victim to this type of vulnerability.

The options for strictness and taint mode will help to only a certain extent against this type of attack. The best way to guard against untrusted data is to not use hidden form fields at all. This isn’t always possible or, more appropriately, it isn’t always practical to create an entire application without hidden form variables. The important thing to remember is that when you have any form variable, hidden or otherwise, you must perform a sanity check on the data received from the user. This frequently includes going through a number of conditionals to ensure that the data is not only in an acceptable format (think: taint checking), but also is within a valid range.

Take a shopping cart application as an example. With taint checking enabled, you could only verify that the form parameter was a series of numbers, usually in the form of N numbers followed by a period (or a comma in some locales) and then two numbers, like 5.15. However, all taint mode checking has done is to ensure that you have a series of numbers with a period or comma; it has done nothing to actually check the amount of the number. This means that there’s nothing to prevent a user from changing that form field to 0.01. Since 0.01 is an acceptable number according to the taint checking, it would pass through without a problem, except now instead of purchasing the item at $5.15, the attacker is purchasing it for $0.01!

Does the example seem far-fetched? It shouldn’t. Similar things have happened repeatedly to web sites with poorly designed applications that don’t do proper checking of data being passed into the application.

34 C H A P T E R 1 ■ T H E C G I M O D U L E

Rather than fix the underlying problem, some developers use tricks to ensure that the data is correct. One of the most popular among these tricks is to use JavaScript to check that data is valid on the client side, to prevent a round-trip to the server before finding out there is a problem with the data. Unfortunately, it’s trivial to get around a JavaScript check. Again, the only place that you can check data is within your program after it can no longer be accessed by the user.

Reliance on any JavaScript tricks to try to block access to the source code or try to prevent the user from doing something is a sign of a fragile, poorly designed application in the same way that reliance on a certain browser is a sign of poor coding. Fragile Internet applications rely on client-side settings; good applications work using widely recognized standards and handle errors and unexpected conditions gracefully.

Another flawed trick is to use the HTTP_REFERER (yes, that’s the correct spelling in this case) variable to ensure that the only place from which a user might visit is a valid page. In other words, the developer is trying to make sure that someone isn’t trying to come into the middle of a shopping cart with her own prices and quantities. As you might expect, HTTP_REFERER can be forged without much difficulty. Therefore, you shouldn’t rely on this value to be sure that the data you’re receiving is valid; rather, you should check the data against a known set of good values.

Untrusted Data from Cookies

Just as form data should always be untrusted, cookies are client-side objects sent to your application and should be treated appropriately. Cookies can be altered, just as form values can be modified. Any data received from cookies must be taint-checked and value-checked to ensure that it is the same as when it was sent to the user. The examples from the previous section apply equally to cookies. Always check data coming from the user, and always design the application to fail gracefully when the user does something unexpected.

Summary

Building an entire Perl-based CGI application such as a shopping cart is a matter of handling form values across multiple pages, sometimes using cookies, sometimes passing the values across the pages themselves, interacting with a database, possibly managing sessions, and using environment variables. I’ve found that knowledge and talent at designing web pages is more of a challenge than getting the background CGI programs working.

In this chapter, you learned about the CGI module including some of its functions. You also learned how to work with cookies through the CGI module, as well as debugging a CGI with the help of the Carp module. In the next chapter, you’ll take a closer look at the Carp module, as well as some other modules that are commonly used when building web applications.

36 C H A P T E R 2 ■ P O P U L A R C G I M O D U L E S

Table 2-1. Carp Functions for Outputting Warnings and Errors

Sending Fatal Errors to the Browser

With CGI::Carp, you can configure errors to be sent to the browser window rather than to the log file. This might be useful for debugging and other purposes. However, you should be aware of the potential for this method to divulge too much information to the end user. In other words, using this method makes debugging and testing easier, but it also may give out too much information about the script, including its location and other items that you might not wish disclosed. Therefore, if you’re going to use this method, it’s a good idea to disable it before going live with the application.

To send errors to the browser, you need to use one of the methods that is not exported by default; therefore, you must call it explicitly. Listing 2-1 provides an example of using CGI:Carp to send fatal error messages to the browser.

Listing 2-1. Sending an Error to the Browser with CGI::Carp

#!/usr/bin/perl -T

use strict;

use CGI qw/:standard/;

use CGI::Carp qw/fatalsToBrowser/;

print header, start_html("Testing CGI Carp"); die ("This is a test die");

print end_html;

exit;

Viewing the code in a browser reveals a page like the one in Figure 2-1.

CGI::Carp takes care of most of the background work for you once you call the correct method, with this line of code:

use CGI::Carp qw(fatalsToBrowser);

From there, if the script dies, the error will be sent to the browser.

As you can see in Figure 2-1, the error message also shows contact information. You can configure this message by calling the set_message() function. Like the fatalsToBrowser() function, set_message() needs to be explicitly imported into your namespace:

use CGI::Carp qw(fatalsToBrowser set_message);

Figure 2-1. A fatal error sent to the browser

Then call the set_message() function, supplying an argument of the message you want to appear:

set_message("This is a better message for the end.");

Incorporating the set_message() function into the example in Listing 2-1 yields the code shown in Listing 2-2.

Listing 2-2. Using set_message with CGI::Carp

#!/usr/bin/perl -T

use strict;

use CGI qw/:standard/;

use CGI::Carp qw(fatalsToBrowser set_message); set_message("This is a better message for the end.");

38C H A P T E R 2 ■ P O P U L A R C G I M O D U L E S

print header, start_html("Testing CGI Carp"); die ("This is a test die"); print end_html;

exit;

The results are displayed in Figure 2-2.

Figure 2-2. Using set_message to send a better message to the browser

Writing to an Alternate Log File

Normally, errors that occur in CGI programs are sent to the Apache error log. Actually, errors are sent to STDERR, which is normally picked up by Apache and written to the error log. It can be helpful to have this information written to a different error log. Doing so is possible with the help of CGI::Carp, which outputs to a log file located in /home/u030701/logs/.

However, before you attempt to write to an alternate log file, you need to ensure that the web server has permissions to write to the log file. In the case of Apache, the server usually runs as a nonprivileged user such as www-data, apache, httpd, or the like. Therefore, to enable