Standalone Trackback Security

Technology: 08 Dec 2003, 17:15

Is Standalone Trackback safe? I obviously think so, but that and a buck-fifty might buy you a cup of coffee. Here are some reasons to consider giving it a chance.

1. The development version runs with the perl taint checks turned on. And the modification to untaint the variable is completely superfluous (this variable is used to generate a filename).

       $tb_id =~ tr/a-zA-Z0-9/_/cs;
   
       #untaint the id
       if ( $tb_id =~ /(\\w+)/ ) {
           return $1;
       } else {
           return '';
       }
   

2. User input is sanitized to remove harmful html code before it is stored.
3. If I can get your eyeballs to scrutinize the code, then we can make it that much safer.

Navigation

• Main
• Technology
  • Java
  • Content Management
  • Weblog Customization
• Sports
• Contact

Recent Articles

• The Return of the King
• Broncos make the Playoffs
• It's all about the Money
• Adding a Hibern8IDE browser to your Hibernate Project
• RSS Bandwidth Efficiency
• Standalone Trackback Security
• Broncos still alive
• Standalone Comments
• Bowl Games the Goose that lays the Golden Eggs
• Standalone Trackback for Radio Userland
• Thinking small and living large

Blog Roll

• Gene Becker
  
• Workbench
  
• Code Monkeyism
  
• Smalltalk with James Robertson
  
• house of warwick
  
• Percipio
  

Colophon

• Powered by Textpattern
• Hosted by Joyent
• Header from iStockphoto