| Author |
I finally blew my TAINT
|
|
| Tom Allison 2005-08-02, 10:00 pm |
| I've been working on some HTML::Mason authentiation code for a bit.
At one point it was working find but I decided to rewrite some goodies
to clean things up a bit. Now I'm in trouble.
So.... I'm trying to get beyond this tainting stuff....
I tried $username =~ s/[^\w\-\@\.]//g;
but that doesn't seem to do it.
HTML::Mason::Exceptions::rethrow_excepti
on('Insecure dependency in
connect while running with -T switch at /usr/lib/perl/5.8/IO/Socket.pm
line 114.^J') called at /usr/lib/perl/5.8/IO/Socket.pm line 114
What am I doing?
I pass a $username, $password into said form via HTTP POST
but I can't utilize the values because I have everything running in
Taint mode. I won't consider removing it.
Is there a perldoc I need to read?
| |
| Jeff 'japhy' Pinyan 2005-08-02, 10:00 pm |
| On Aug 2, Tom Allison said:
> So.... I'm trying to get beyond this tainting stuff....
>
> I tried $username =~ s/[^\w\-\@\.]//g;
> but that doesn't seem to do it.
Detainting via a regex requires you use text that matched; what this means
is you must use a capture variable. In your case, you can do your removal
of invalid characters and then use (.*) to untaint:
$username =~ s/[^\w\@.-]+//g; # remove unwanted characters
($username) = $username =~ /(.*)/s; # match everything and store
> Is there a perldoc I need to read?
The 'perlsec' docs. They have a rather apropos example:
if ($data =~ /^([-\@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die "Bad data in '$data'"; # log this somewhere
}
--
Jeff "japhy" Pinyan % How can we ever be the sold short or
RPI Acacia Brother #734 % the cheated, we who for every service
http://japhy.perlmonk.org/ % have long ago been overpaid?
http://www.perlmonks.org/ % -- Meister Eckhart
| |
| Tom Allison 2005-08-02, 10:00 pm |
| Jeff 'japhy' Pinyan wrote:
> On Aug 2, Tom Allison said:
>
>
>
> Detainting via a regex requires you use text that matched; what this
> means is you must use a capture variable. In your case, you can do your
> removal of invalid characters and then use (.*) to untaint:
>
> $username =~ s/[^\w\@.-]+//g; # remove unwanted characters
> ($username) = $username =~ /(.*)/s; # match everything and store
>
I did get this far, but I ran into another set of questions...
I take a pair of vars ($username/$password) in from the POST and can
untaint that using the regex method described ( $username =~ /(\w+)/ )
and that seems to work well enough.
But later on I store the $username/$password into a Cache::FileCache
object using a $key. I don't think that has any problems either.
The $key is later used from the Cookie to reacquire the
$username/$password for authenication from the Cache::FileCache object.
How many of the following do I have to do:
untaint the $key after it's pulled from the apache Cookie.
untaint the $username/$password from the login form (DONE).
untaint the $username/$password from the Cache::FileCache object.
Because these variables are passed through a number of objects and
methods where is the best point to untaint the variables?
| |
| Tom Allison 2005-08-03, 10:00 pm |
|
> How many of the following do I have to do:
>
> untaint the $key after it's pulled from the apache Cookie.
> untaint the $username/$password from the login form (DONE).
> untaint the $username/$password from the Cache::FileCache object.
>
> Because these variables are passed through a number of objects and
> methods where is the best point to untaint the variables?
>
All of them.
But I have to plug Test::More.
If you don't use it, you should.
It's a great aide at times like this.
|
|
|
|