I'm a relatively new user of nocol and I am quite pleased.
I really like the short amount of time it took me to start
monitoring remote DNS, SMTP, HTTP, and NNTP servers. However,
I've had to disable webnocol.cgi because of its many security
problems.
The perlsec manual page has more details, including CGI
specific advice, but enabling taint mode in nocol's perl
scripts would be helpful.
When a perl script is invoked with -T, taint mode is enabled.
In a nutshell, taint mode makes sure you verify the
correctness of all data coming from untrusted sources.
Because tainted data is tracked through all possible uses,
a program that can run in taint mode without any warnings
is likely to be much more secure. Unfortunately, nocol's
perl scripts can't yet do this.
My standard advice to people writing new perl code is to start
their script with the following block:
#! perl -Tw
use strict;
use English;
$WARNING = 1; # equal to the valuable -w flag
The strict mode, along with standard warnings, always
results in much tighter code. Including taint mode too
greatly increases the security of the script.
I started to clean up genweb.pl and webnocol.cgi but stopped
pretty quickly. Because I am new to the system I found
myself guessing what should be done to eliminate warnings
and that's a bad sign.
Are these scripts going to be preserved in snips? If so,
have they already been tightened? If not, is there someone
who knows the scripts well that could try adding the excerpt
above to all of nocol's perl code and eliminate the resulting
warning messages? I'll try to help by answering any perl
questions you might have.
Thanks,
Scott
|