Security aware programming(8)

• Common untainting mistakes:

  • the 'I am very lazy/stupid' regexp: /^(.*)$/
  • use 'allow lists', not 'disallow lists': /^([^list-of-chars]+)$/ # bad /^([list-of-chars]+)$/ # that's better
  • be careful with the empty match: /^(\w*)$/

• system "command $v $w"; # what if $v empty?

• system "rm", "-fr", "/some/path/$v/*";

  • use lower and upper limits for length: /^(\w+)$/ # can be any length /^(\w{1,8})$/ # that's better