Skip to main content.
home | support | download

Back to List Archive

RE: First post from a new user

From: Bill Moseley <moseley(at)not-real.hank.org>
Date: Fri Sep 08 2000 - 15:10:56 GMT
At 06:43 AM 09/08/00 -0700, Don Hamilton wrote:
>Thanks for this. Just didn't realize what I was reading. In the mean time,
>the answer to my other question (is there a cgi for phrase searching with
>version 2) was just to modify the John's cgi to include single quotes (')
>around the $query variable in the call to swish-e.

This statement made me go and take a really quick look at that script.

Unless I missed something, that script uses tainted data in $query for this
call:

  open(SWISH, "$swish -w $query -m $results $search_tags -f $index|");

This is not a safe way of calling swish in a CGI script.  See perldoc
perlsec and perldoc perlipc and read about "safe pipe opens".

People do use that above method and clean up the passed parameters rather
well, but I'd still not recommend that method.  Just fork and exec as
perlipc suggests.

A front-end CGI to swish it trivial to write.  If it doesn't seem so then
you are probably the wrong person to be implementing swish or any Perl cgi
script.  I'm not trying to be rude, but I say this because you can risking
the health of your web site and system if you are not careful -- and there
are a lot of hackers out there that know about these insecure CGI scripts.

Every perl script running a CGI script should at least start out like this:

#!/usr/local/bin/perl -wT
use strict;

We should take some time and review the scripts available on the Swish-E
site and remove any that are insecure.

I'm writing a Perl module interface to swish that will work with both the
forked and library versions of swish-e.  I'll try to get it loaded to CPAN
at some time soon.


Bill Moseley
mailto:moseley@hank.org
Received on Fri Sep 8 15:11:06 2000