[CincyPG] Security review request

Troy Davis troy at digissance.com
Sun Jun 29 00:30:00 EDT 2008 

Hi Everyone,

I've been very busy lately writing a launching a new product:  http://liberatedomains.com

I've got a Web-based version ready and would love to get some peer  
review on security risks. The intent is to protect the whois query as  
much as possible, both from others and people at my company. A lot of  
this comes down to whatever the security of Net::Whois::Raw is, but  
are there any suggestions on how I can make this code more secure?

Thank you!
Troy
_______

#!/usr/bin/perl
use strict;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use Net::Whois::Raw;
use HTML::Template;

my $cgiq = new CGI;

whoisOptions();

my $tld_txt = load_tlds();

my $domain = $cgiq->param('d');

my $template = HTML::Template->new(filename => 'liberatedomains- 
tmpl.html');

$template->param(DOMAIN => $domain);

if (!defined($domain) || $domain eq "") {
	$template->param(RESULT => "Please enter a domain name above.<br />
			Domain names look like one of these:
			<ul>
				<li>mycompany.com</li>
				<li>acharity.org</li>
				<li>www.wallaceandgromit.co.uk</li>
			</ul>");
} else {
	if ($domain !~ /^[0-9a-zA-Z][-0-9a-zA-Z.]*[0-9a-zA-Z]\.[a-zA-Z] 
{2,6}$/) {
		# Doesn't look like a domain, error
		$template->param(RESULT => "Sorry, that doesn't look like a domain.");
	} else {
		my $tld_match = 0;
		$domain =~ /^[0-9a-zA-Z][-0-9a-zA-Z.]*[0-9a-zA-Z]\.([a-zA-Z]{2,6})$/;
		my $possible_tld = $1;
		foreach my $tld (split("\n", $tld_txt)) {
			if ($tld !~ /^#/) {
				if (lc($tld) eq lc($possible_tld)) {
					$tld_match = 1;
				}
			}
		}
		if ($tld_match) {
			my $dominfo = whois(lc($domain));
			if (defined $dominfo) {
				$dominfo =~ s/^\s+//g;
				$template->param(RESULT => "This domain is probably already  
registered.<br /><pre>" . $dominfo . "		</pre>\n");
			} else {
				$template->param(RESULT => "This domain is probably available!");
			}
		} else {
			$template->param(RESULT => "$possible_tld doesn't look like a legit  
TLD in $domain.\n");
		}
	}
}

print $cgiq->header(), $template->output;

exit();

sub whoisOptions {
	# Try to strip copyright messages and disclaimers if possible
	$Net::Whois::Raw::OMIT_MSG = 2;
	$Net::Whois::Raw::CHECK_FAIL = 2;
	$Net::Whois::Raw::CHECK_EXCEED = 1;
	$Net::Whois::Raw::USE_CNAMES = 1;
	$Net::Whois::Raw::TIMEOUT = 10;
}

sub load_tlds {
	my $str;
	open(IN, "tlds-alpha-by-domain.txt");
	while (<IN>) {
		$str .= $_;
	}
	close IN;
	return $str;
}

More information about the CincyPG mailing list