develooper Front page | perl.beginners | Postings from April 2002

re: unallowed chars

Thread Previous | Thread Next
Teresa Raymond
April 1, 2002 08:25
re: unallowed chars
Message ID:
Thank you Jenda!  I acted defensively in my email response to you.

It's good to know about the 0, I never heard that before.

>I guess it's me how should apologize.
>Your second mail really sounded like you did not read my mail at
>all and I overacted.
>For unallowed chars:
>1) almost always you do not want characters with code 0
>Most system calls expect strings ended by zero so they might use
>only part of the data you pass in. Eg. suppose you want to allow
>users to upload some files, but want to allow only .html extension.
>So you do this:
>	$filename = $cgi->param('filename');
>	$filename .= '.html'
>		if ($filename !~ /\.html$/);
>	open OUT, "> $filename";
>	... and write the posted data into that file
>now suppose the data sent by the malicious user were:
>	"gotcha.asp\0.html"
>Now your regexp is content, everything looks safe (well except that
>you should also test whether the user doesn't try to overwrite
>something or to save the file in a different folder, but that's another
>problem). But the system will only see "gotcha.asp" and will create
>that file. And (assuming all the time you are using MS IIS) the user
>may run any code he wishes on your server.
>2) When inserting the value into some code (even if the code is just
>HTML) you should never forget to escape the specials. For SQL
>you have to double the singlequote, for HTML the &, <, >, \x80-
>\xFF and a few others if you include the value in text, plus double
>and single quote if it's gonna be in a tag attribute, and you should
>add a backslash when escaping for JavaScript, ...
>	use HTML::Entities;
>	sub HTMLescape {
>		return HTML::Entities::encode($_[0],
>			'^\r\n\t !\#\$%\"\'-;=?-~');
>	}
>	# "<title>" . HTMLescape($title) . "</title>"
>	sub TAGescape {
>		return HTML::Entities::encode($_[0], '^\r\n\t !\#\$%\(-;=?-~');
>	}
>	# q{<input type=text name="foo" value="}
>	#   . TAGescape($foo) . q{">}
>	sub JSescape {
>		my $s = $_[0];
>		$s =~ s/(['"])/\\$1/g;
>		return HTML::Entities::encode($s, '^\r\n\t !\#\$%\(-;=?-~');
>	}
>	# q{<A href="JavaScript:Foo( '}
>	#   . JSescape($bar) . q{', 1)">Foo</a>}
>3) When passing the data as a parameter to another program:
>	If possible use system(@list)
>	Watch mainly for [\r\n&|><\0;\$], but I'm sure there are others
>	I forgot about
>	when constructing a command string do not forget to enclose
>	the parameters in quotes (single or double depending on your
>	OS) in case they were spaces in them, and don't forget to
>	escape the quotes that might be in the data.
>4) be paranoid ;-)
>P.S.: The fact that I am paranoid doesn't mean they are not out to
>get me!
>P.P.S.: Just now I feel like killing someone ... or myself. Any
>=========== == ==========
>There is a reason for living. There must be. I've seen it somewhere.
>It's just that in the mess on my table ... and in my brain
>I can't find it.
>					--- me

-  Teresa Raymond             -
-  Mariposa Net               -
- -

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About