develooper Front page | perl.beginners | Postings from February 2002

Re: Allow only letters and numbers?

Thread Previous | Thread Next
From:
merlyn
Date:
February 21, 2002 20:08
Subject:
Re: Allow only letters and numbers?
Message ID:
m1y9hmyx7x.fsf@halfdome.holdit.com
>>>>> "Timothy" == Timothy Johnson <tjohnson@sandisk.com> writes:

Timothy> Okay, I get what you're saying about \z, sort of, assuming
Timothy> that the user doesn't have to enter in the text at a prompt
Timothy> and you're not reading from a file where lines are delimited
Timothy> by newlines, but I don't get where this ties into security.
Timothy> Could you explain?

Suppose you used that to validate a new username in $string.  And
then, having validated that, you use $string to create new line in a
passwd-like file:

   print PASSWORD $string, ":", $newpassword, ...;

oops...  I just corrupted your password file with my new user ID, and
I might be able to use that either for a denial-of-service, or perhaps
gimmick up a better user status for myself.

First rule of security -- Make sure your validations actually work!

Yours didn't, and that means that life would be sweet for the
intruder.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About