[11-14-98] [1] Fixed chat.cgi being hardcoded in chat-html.pl. Thanks to Raymond Kaya for the notification. [10-21-98] [1] Fixed bug with old chat messages not deleting. Thanks to Ed Milts and Raymond Kaya for the notification. [7-26-98] [1] Fixed many taint mode issues including the following: [2] Old messages could not be deleted because the file list needed to be untainted. [3] Untainted setup file if a user custom setup file was passed to the script. [4] Untainted session information so that who files and other files dependent on session information could be removed when they expire. [3-31-98] [1] Added -T taint checking to the header of the cgi script. For example, #!/usr/local/bin/perl becomes #!/usr/local/bin/perl -T Perl 4 Note: Perl 4 does not support the -T parameter. Instead, use #!/usr/local/bin/taintperl Taint checking basically forces the programs to validate all input that is going to have any effect on files or system calls. In addition, library calls need to be explicitly named. So ./ is prefixed in front of required libraries in the current subdirectory. [2] Made modifications to the main Chat script to support taint checking. Anytime a filename results from input from a user such as form input, this input needs to be validated in order to be considered safe by the taint checking perl script. Thus, changes have been made to validate the data using techniques described in the perl documentation and the WWW security FAQ located at http://www.w3.org/Security/Faq/ by Lincoln Stein [3] Actual file modifications that were made follows: Added code to validate the session variable and make sure it only consists of word characters. Lines 475 and 331 both require clean up of the $session variable. So code was added to do this: $session =~ /(\w*)/; $session = $1; Note though that when taint mode is on, paths need to become more specific. For example, the library require statments use "./" to indicate explicitly that we are grabbing the library from the current directory and not just in the @INC include path. This change was also done to the chat.cgi program.