For more information on writing CGI scripts in Perl, and some examples, try these links:
About Safe Perl
Safe Perl is configured to provide a more secure way of running Perl CGI scripts in a multiuser environment. You do not need to include the usual "#!/usr/bin/perl" line in your script as it will always be executed with Safe Perl.
A restricted set of the Perl language is available. Usage of unsafe features (even within eval statements) are trapped and the program is not run. The following list of restricted operators is not exhaustive but includes the most common cases:
- system, backticks (``), exec, fork, syscall, signal handlers, pipes
- network access (socket, bind, connect, ...)
- File munging (rename, link, opendir, chown, ...)
- System V IPC (shared memory, message queues, semaphores)
- File tests (-r, -w, -l, ...)
- Calling perl on other files (require, use, do 'file')
Opening files for reading/writing is restricted:
- Files opened for reading must be owned by the user. Your CGI program is run with a current directory of ~/cgi/. It is strongly recommended that you use relative pathnames (for example, "../public_html/foo")
- Files opened for writing must be opened by using a filename containing no "/" characters. The filename is taken to live in the directory ~/cgi/out and the file must already exist at the time the open is performed. It can be a symbolic link if desired
Once you have written and debugged your CGI program, put it in ~/cgi/bin (creating that directory if necessary). There is no need to include a leading "#!" line, nor will one be honoured if you do. Supposing that your username is abcd1234 and your program is called myscript, the URL to run your program is
When the web server runs your program it will run it with the privileges of your Oxford account.
Any use of a masked operator in your Perl program will trigger a compile time error and the program will not run at all. A "masked operator" is an operator which is restricted but, unlike "open", is not aliased to a sanitised version. The error message will be something like "opname trapped by operation mask at line ...".
Please be aware that it is possible that someone out on the web will be able to persuade your script do something you weren't expecting, even with the above restrictions. Even with the file limitations, for example, your program may have a bug which lets someone see the contents of any file you own. You are responsible for the CGI programs you write and you must ensure that your CGI programs do not contravene IT Services rules.
The perl built in sort operator is masked for security reasons. Two functions are provided for sorting lists in the two most common collating sequences: ASCII and numeric. To sort an array @unsorted into increasing ASCII order use
@sorted = sort_ascii(@unsorted);
To sort into increasing numerical order use
@sorted = sort_numeric(@unsorted);
If you want a decreasing order, then just use the standard Perl reverse operator on the resulting array.
Every CGI script must output at least one header line. If your program generates body output, it must include a Content-type header line indicating what kind of document (MIME type) it is producing. If your script outputs an HTML page, the correct format is:
If it is raw text then
The header output must be followed by two pairs of <CR><LF>. This means there must be a blank line after the last header line.
Our Safe Perl implementation includes a convenience function for sending email. The syntax is:
mail(RECIPIENT, SUBJECT, CONTENTS);
mail('firstname.lastname@example.org', 'Test mail', "Hello world\n") or oops("mail failed");
You will need to enclose the recipient email address in single quotes, or escape the @ if you use double quotes.
Email sent in this way will have a sender address of your own University email address.