Home > Archive > PERL Miscellaneous > July 2004 > Accessing form POST data
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Accessing form POST data
|
|
|
| I'm not a Perl expert yet (mainly PHP) but as I need to use a little bit of
Perl for a website so I basically copied this code available on several web
tutorials (so I am guessing it is the standard way of doing it). I'm not
totally clear how it works but I can follow the gist. However, I am having
trouble accessing the POST variables that are posted to my page from another
form on a different server. The code just displays a blank.
This is the code I am using copied from the tutotial:
#!/usr/bin/perl
# orderform.cgi
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs)
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$Form{$name} = $value;
}
print <<END_of_multiline_text;
Content-Type: text/html; charset=ISO-8859-1
.. . .
<p>Your order is worth a total of:
<strong>£$Form{'grandtotal'}</strong></p>
.. . .
END_of_multiline_text;
BTW, I've also been warned that this code leaves me open to a DoS attack and
to use CGI.pm. If anyone would be so kind as to explain how this attack
works I would be interested. Not that I wish to attack anyone! I just want
to be educated about the security issues in Perl. Perhaps it would be better
to post this to me personally at mjtech_uk aaatttt yahoo.co.uk
Thanks v. much
Mark
| |
| Scott Bryce 2004-07-28, 9:00 pm |
| Mark wrote:
> I'm not a Perl expert yet (mainly PHP) but as I need to use a little bit of
> Perl for a website so I basically copied this code available on several web
> tutorials (so I am guessing it is the standard way of doing it).
No, it isn't.
<code snipped>
> BTW, I've also been warned <snip> to use CGI.pm.
That would be the standard way to do it.
cpan.org is your friend.
http://cpan.uwinnipeg.ca/htdocs/CGI.pm/CGI.html
| |
| Gunnar Hjalmarsson 2004-07-28, 9:00 pm |
| Mark wrote:
> I basically copied this code available on several web tutorials (so
> I am guessing it is the standard way of doing it).
It was a common way to do it ten years ago or so...
> I'm not totally clear how it works but I can follow the gist.
Never use a random piece of code copied from the web if you are not
sure of how it works!!
> However, I am having trouble accessing the POST variables that are
> posted to my page from another form on a different server. The code
> just displays a blank.
>
> This is the code I am using copied from the tutotial:
>
> #!/usr/bin/perl
>
> # orderform.cgi
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> @pairs = split(/&/, $buffer);
> foreach $pair (@pairs)
> {
> ($name, $value) = split(/=/, $pair);
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $Form{$name} = $value;
> }
>
> print <<END_of_multiline_text;
> Content-Type: text/html; charset=ISO-8859-1
>
> . . .
>
> <p>Your order is worth a total of:
> <strong>£$Form{'grandtotal'}</strong></p>
>
> . . .
>
> END_of_multiline_text;
-----------------------^
Besides that semicolon, which causes a compile time error and shall
not be there (unlike in PHP), there is nothing obviously wrong with
the above code. What does the form look like? Maybe there is no
"grandtotal" control in the form?
Nevertheless, as others have mentioned in another group, you'd better
use CGI.pm instead. Doing so, the above code could be replaced with:
#!/usr/bin/perl -T
use strict;
use warnings;
use CGI;
my $query = new CGI;
my %Form = $query->Vars;
print $query->header;
print <<END_of_multiline_text;
.. . .
<p>Your order is worth a total of:
<strong>£$Form{'grandtotal'}</strong></p>
.. . .
END_of_multiline_text
__END__
> BTW, I've also been warned that this code leaves me open to a DoS
> attack and to use CGI.pm. If anyone would be so kind as to explain
> how this attack works I would be interested.
The lack of a check of the size of the POSTed data makes it possible
to submit a huge amount of data and have your script process it. This
is a security issue whenever users submit data via a form, not only a
Perl issue, and using CGI.pm doesn't automatically prevent it.
If you use CGI.pm, you can add e.g.
$CGI::POST_MAX = 1024 * 100; # 100 KiB limit
before the "my $query = new CGI;" line.
> Not that I wish to attack anyone! I just want to be educated about
> the security issues in Perl. Perhaps it would be better to post
> this to me personally at ...
Why? Wouldn't security issues be of general interest? ;-)
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
| Bob Walton 2004-07-28, 9:00 pm |
| Mark wrote:
> I'm not a Perl expert yet (mainly PHP) but as I need to use a little bit of
> Perl for a website so I basically copied this code available on several web
> tutorials (so I am guessing it is the standard way of doing it). I'm not
> totally clear how it works but I can follow the gist. However, I am having
> trouble accessing the POST variables that are posted to my page from another
> form on a different server. The code just displays a blank.
>
> This is the code I am using copied from the tutotial:
>
> #!/usr/bin/perl
>
> # orderform.cgi
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> @pairs = split(/&/, $buffer);
> foreach $pair (@pairs)
> {
> ($name, $value) = split(/=/, $pair);
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $Form{$name} = $value;
> }
>
> print <<END_of_multiline_text;
> Content-Type: text/html; charset=ISO-8859-1
>
> . . .
>
> <p>Your order is worth a total of:
> <strong>£$Form{'grandtotal'}</strong></p>
>
> . . .
>
> END_of_multiline_text;
>
> BTW, I've also been warned that this code leaves me open to a DoS attack and
> to use CGI.pm. If anyone would be so kind as to explain how this attack
> works I would be interested. Not that I wish to attack anyone! I just want
> to be educated about the security issues in Perl. Perhaps it would be better
> to post this to me personally at mjtech_uk aaatttt yahoo.co.uk
....
> Mark
Those that told you to
use CGI;
were well-informed. The broken crappy code you posted doesn't even
recognize that ; is a valid parameter separation character, in addition
to & , for example. It doesn't check to see if the parameters are
presented via the GET or POST method, or whether a different request was
made (HEADER, perhaps?). It is missing 'use warnings;' and 'use
strict;' -- let Perl help you all it can. As for denial of service
attacks, consider what happens if someone hits your site and keeps
dumping bigger and bigger parameter datasets your way. Eventually,
you'll run out of virtual memory and crash. I'm sure there are other
vulnerabilities as well.
Using CGI is also much easier:
use CGI qw(:standard);
#during development, put Perl errors to the browser
#(*very* most helpful):
use CGI::Carp qw(fatalsToBrowser);
use strict;
use warnings;
print header; #does Content-type header
print start_html('title');
#...
my $grandtotal=param('grandtotal'); #retrieves parameter
print <<EOT;
....
<strong>£$grandtotal</strong>
....
EOT
print end_html;
And you can debug it offline by just supplying parameter pairs as
arguments to your script, like:
perl script.pl grandtotal=123.45
See what you're missing?
--
Bob Walton
Email: http://bwalton.com/cgi-bin/emailbob.pl
| |
| Tad McClellan 2004-07-28, 9:00 pm |
| Mark <noonehere@fakoaddresso.como> wrote:
> I am having
> trouble accessing the POST variables that are posted to my page from another
> form on a different server.
perldoc -q CGI
How do I decode a CGI form?
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
|
|
|
|
|