develooper Front page | perl.beginners | Postings from March 2002

re: unallowed chars

Thread Previous | Thread Next
From:
Jenda Krynicky
Date:
March 30, 2002 04:48
Subject:
re: unallowed chars
Message ID:
3CA5C20C.24736.5034BAE@localhost
I guess it's me how should apologize.
Your second mail really sounded like you did not read my mail at 
all and I overacted.

For unallowed chars:

1) almost always you do not want characters with code 0
Most system calls expect strings ended by zero so they might use 
only part of the data you pass in. Eg. suppose you want to allow 
users to upload some files, but want to allow only .html extension. 
So you do this:

	$filename = $cgi->param('filename');
	$filename .= '.html'
		if ($filename !~ /\.html$/);

	open OUT, "> $filename";
	... and write the posted data into that file

now suppose the data sent by the malicious user were:
	"gotcha.asp\0.html"

Now your regexp is content, everything looks safe (well except that 
you should also test whether the user doesn't try to overwrite 
something or to save the file in a different folder, but that's another 
problem). But the system will only see "gotcha.asp" and will create 
that file. And (assuming all the time you are using MS IIS) the user 
may run any code he wishes on your server.

2) When inserting the value into some code (even if the code is just 
HTML) you should never forget to escape the specials. For SQL 
you have to double the singlequote, for HTML the &, <, >, \x80-
\xFF and a few others if you include the value in text, plus double 
and single quote if it's gonna be in a tag attribute, and you should 
add a backslash when escaping for JavaScript, ...

	use HTML::Entities;
	sub HTMLescape {
		return HTML::Entities::encode($_[0], 
			'^\r\n\t !\#\$%\"\'-;=?-~');
	}
	# "<title>" . HTMLescape($title) . "</title>"

	sub TAGescape {
		return HTML::Entities::encode($_[0], '^\r\n\t !\#\$%\(-;=?-~');
	}
	# q{<input type=text name="foo" value="}
	#   . TAGescape($foo) . q{">}

	sub JSescape {
		my $s = $_[0];
		$s =~ s/(['"])/\\$1/g;
		return HTML::Entities::encode($s, '^\r\n\t !\#\$%\(-;=?-~');
	}
	# q{<A href="JavaScript:Foo( '}
	#   . JSescape($bar) . q{', 1)">Foo</a>}

3) When passing the data as a parameter to another program:
	If possible use system(@list)
	Watch mainly for [\r\n&|><\0;\$], but I'm sure there are others 
	I forgot about

	when constructing a command string do not forget to enclose
	the parameters in quotes (single or double depending on your
	OS) in case they were spaces in them, and don't forget to
	escape the quotes that might be in the data.

4) be paranoid ;-)

Jenda

P.S.: The fact that I am paranoid doesn't mean they are not out to 
get me!

P.P.S.: Just now I feel like killing someone ... or myself. Any 
volunteers?

=========== Jenda@Krynicky.cz == http://Jenda.Krynicky.cz ==========
There is a reason for living. There must be. I've seen it somewhere.
It's just that in the mess on my table ... and in my brain
I can't find it.
					--- me

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About