Front page | perl.beginners |
Postings from April 2002
re: unallowed chars
Thread Previous
|
Thread Next
From:
Teresa Raymond
Date:
April 1, 2002 08:25
Subject:
re: unallowed chars
Message ID:
p05100301b8ce3a26766a@[67.37.186.90]
Thank you Jenda! I acted defensively in my email response to you.
It's good to know about the 0, I never heard that before.
>I guess it's me how should apologize.
>Your second mail really sounded like you did not read my mail at
>all and I overacted.
>
>For unallowed chars:
>
>1) almost always you do not want characters with code 0
>Most system calls expect strings ended by zero so they might use
>only part of the data you pass in. Eg. suppose you want to allow
>users to upload some files, but want to allow only .html extension.
>So you do this:
>
> $filename = $cgi->param('filename');
> $filename .= '.html'
> if ($filename !~ /\.html$/);
>
> open OUT, "> $filename";
> ... and write the posted data into that file
>
>now suppose the data sent by the malicious user were:
> "gotcha.asp\0.html"
>
>Now your regexp is content, everything looks safe (well except that
>you should also test whether the user doesn't try to overwrite
>something or to save the file in a different folder, but that's another
>problem). But the system will only see "gotcha.asp" and will create
>that file. And (assuming all the time you are using MS IIS) the user
>may run any code he wishes on your server.
>
>2) When inserting the value into some code (even if the code is just
>HTML) you should never forget to escape the specials. For SQL
>you have to double the singlequote, for HTML the &, <, >, \x80-
>\xFF and a few others if you include the value in text, plus double
>and single quote if it's gonna be in a tag attribute, and you should
>add a backslash when escaping for JavaScript, ...
>
> use HTML::Entities;
> sub HTMLescape {
> return HTML::Entities::encode($_[0],
> '^\r\n\t !\#\$%\"\'-;=?-~');
> }
> # "<title>" . HTMLescape($title) . "</title>"
>
> sub TAGescape {
> return HTML::Entities::encode($_[0], '^\r\n\t !\#\$%\(-;=?-~');
> }
> # q{<input type=text name="foo" value="}
> # . TAGescape($foo) . q{">}
>
> sub JSescape {
> my $s = $_[0];
> $s =~ s/(['"])/\\$1/g;
> return HTML::Entities::encode($s, '^\r\n\t !\#\$%\(-;=?-~');
> }
> # q{<A href="JavaScript:Foo( '}
> # . JSescape($bar) . q{', 1)">Foo</a>}
>
>3) When passing the data as a parameter to another program:
> If possible use system(@list)
> Watch mainly for [\r\n&|><\0;\$], but I'm sure there are others
> I forgot about
>
> when constructing a command string do not forget to enclose
> the parameters in quotes (single or double depending on your
> OS) in case they were spaces in them, and don't forget to
> escape the quotes that might be in the data.
>
>4) be paranoid ;-)
>
>Jenda
>
>P.S.: The fact that I am paranoid doesn't mean they are not out to
>get me!
>
>P.P.S.: Just now I feel like killing someone ... or myself. Any
>volunteers?
>
>=========== Jenda@Krynicky.cz == http://Jenda.Krynicky.cz ==========
>There is a reason for living. There must be. I've seen it somewhere.
>It's just that in the mess on my table ... and in my brain
>I can't find it.
> --- me
--
-------------------------------
- Teresa Raymond -
- Mariposa Net -
- http://www.mariposanet.com -
-------------------------------
Thread Previous
|
Thread Next