The answer to this is: A CGI program is prone to security problems no matter what language it is written in!
Never expose any form of data to the shell. All of the following are possible security holes:
open (COMMAND, "/usr/ucb/finger $form_user"); system ("/usr/ucb/finger $form_user"); @data = `usr/ucb/finger $form_user`;
See more examples in the following answers. You should also look at:
WWW Security FAQ (by Lincoln Stein) (http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html)
CGI Security FAQ (by Paul Phillips) (http://www.cerf.net/~paulp/cgisecurity/safe-cgi.txt)
@ans = `grep '$user_field' some.file`;
is insecure?
Yes! It's very dangerous! Imagine if $user_field contains:
; rm -fr / ;
An equivalent to the above command is:
if (open (GREP, "-|")) { @ans = <GREP> } else { exec ("/usr/local/bin/grep", $user_field, "some.file") || die "Error exec'ing command", "\n"; } close (GREP);
No! It's not. It's a security hole if you evaluate the expression at runtime using the eval command. Something like this is dangerous:
foreach $regexp (@all_regexps) { eval "foreach (\@data) { push (\@matches, \$_) if m|$regexp|o; }"; }