Home > Archive > PERL CGI Beginners > November 2004 > untainting data
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| David Gilden 2004-11-10, 3:55 pm |
| Hello,
Is the following all I need to untaint data?
#!/usr/bin/perl
use CGI qw/:standard/;
my $name =3D param('name');
$name =3D~ s/(\w+)/$1/;
What can I do limit string length to 40 characters?=20
Thanks,
Dave=20
(kora musician / audiophile / webmaster @ www.coraconnection.com / Ft. Wor=
th, TX, USA)
| |
| Gunnar Hjalmarsson 2004-11-10, 8:55 pm |
| David Gilden wrote:
> Is the following all I need to untaint data?
>
> #!/usr/bin/perl
> use CGI qw/:standard/;
> my $name = param('name');
> $name =~ s/(\w+)/$1/;
That does not untaint anything.
What you need to do to learn about tainted mode is reading the
applicable docs:
perldoc perlsec
> What can I do limit string length to 40 characters?
Use a suitable function, or a regex, or something like that. What have
you tried?
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
|
| If the 'name' is coming from a Form, try limiting it within the form tags,
it's always a better idea.
<input type=text name=name MAXLENGTH=40>
OR if you insist to do it within script; use 'substr' function.
my $name = param('name');
my $limited_name = substr($name, 0, 40);
Thanks,
Sara.
----- Original Message -----
From: "David Gilden" <dowda@coraconnection.com>
To: <beginners-cgi@perl.org>
Sent: Wednesday, November 10, 2004 11:49 PM
Subject: untainting data
Hello,
Is the following all I need to untaint data?
#!/usr/bin/perl
use CGI qw/:standard/;
my $name = param('name');
$name =~ s/(\w+)/$1/;
What can I do limit string length to 40 characters?
Thanks,
Dave
(kora musician / audiophile / webmaster @ www.coraconnection.com / Ft.
Worth, TX, USA)
--
To unsubscribe, e-mail: beginners-cgi-unsubscribe@perl.org
For additional commands, e-mail: beginners-cgi-help@perl.org
<http://learn.perl.org/> <http://learn.perl.org/first-response>
| |
| B McKee 2004-11-10, 8:55 pm |
|
On Wednesday, November 10, 2004, at 04:02 PM, Sara wrote:
> If the 'name' is coming from a Form, try limiting it within the form
> tags,
> it's always a better idea.
I thought (correct me if I'm wrong here - I'm no expert)
that you want to do this at both ends....
because the bad guys can always create their own form
(or whatever) and shove bad data at the web server.
Brian
| |
| Gunnar Hjalmarsson 2004-11-10, 8:55 pm |
| Sara wrote:
> If the 'name' is coming from a Form, try limiting it within the form
> tags, it's always a better idea.
>
> <input type=text name=name MAXLENGTH=40>
Better!? Nope. It may be a convenient *supplement*, so that people don't
need to unnecessarily type a string that the script immediately rejects,
but please note that people can submit to the script using e.g. their
own form, so if you want to *make sure* that longer strings are not
accepted, the maxlength attribute is not sufficient, and can *never*
replace a proper validation of the form data.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
|
| >>> bad guys can always create their own form
I can't say how others do it but almost my every script starts with:
if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
exit;
}
it helps eliminating of Bad Guys forms & shoving of data (no remote postings
allowed).
Sara.
----- Original Message -----
From: "B McKee" <binlinux@hotmail.com>
To: "Sara" <sara_samsara@hotpop.com>
Cc: <beginners-cgi@perl.org>
Sent: Thursday, November 11, 2004 2:13 AM
Subject: Re: untainting data
>
> On Wednesday, November 10, 2004, at 04:02 PM, Sara wrote:
>
>
> I thought (correct me if I'm wrong here - I'm no expert)
> that you want to do this at both ends....
> because the bad guys can always create their own form
> (or whatever) and shove bad data at the web server.
>
> Brian
>
| |
| Bob Showalter 2004-11-10, 8:55 pm |
| Sara wrote:
>
> I can't say how others do it but almost my every script starts with:
>
> if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
> exit;
> }
>
> it helps eliminating of Bad Guys forms & shoving of data (no remote
> postings allowed).
You do know that the Referer header can be trivially spoofed?
| |
|
| No I don't know, can you please explain.
How it can be spoofed, I am interested in details.
----- Original Message -----
From: "Bob Showalter" <Bob_Showalter@taylorwhite.com>
To: "'Sara'" <sara_samsara@hotpop.com>
Cc: <beginners-cgi@perl.org>
Sent: Thursday, November 11, 2004 3:17 AM
Subject: RE: untainting data
> Sara wrote:
>
> You do know that the Referer header can be trivially spoofed?
| |
| Gunnar Hjalmarsson 2004-11-10, 8:55 pm |
| Sara wrote:
>
> I can't say how others do it but almost my every script starts with:
>
> if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
> exit;
> }
>
> it helps eliminating of Bad Guys forms & shoving of data
Really?
use HTTP::Request::Common 'POST';
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = POST 'http://yourdomain.com/cgi-bin/sara.cgi',
referer => 'yourdomain.com',
content => [ name => 'hello' x 20 ];
my $res = $ua->request($req);
print $res->content;
As you can see, it's very easy to fake the HTTP_REFERER.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
| Shaun Fryer 2004-11-12, 8:55 am |
| > I can't say how others do it but almost my every script starts with:
>
> if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
> exit;
> }
>
> it helps eliminating of Bad Guys forms & shoving of data (no remote postings
> allowed).
Sorry to differ, but it does not. The HTTP_REFERRER is set by the client.
A better way is to use a regex match such as below within your CGI.
my $foo = $cgi->param('foo');
inputErrorHandler($foo) unless test($foo);
sub testInput { # boolean
my $string = shift;
return 0 if ($string =~ /[^\w\.\-\@]/g); # tests email for invalid chars
return 1;
}
PS. To test any given filter, try telnet'ting to port 80 on your web-server
and issuing the resource request manually in plain text. Crafting maliscious
input is one excellent way of security testing CGI software.
PPS. See also: `perldoc perlre`, CGI::Validate, RFC 2616, etc...
--
=====================
Shaun Fryer
=====================
http://sourcery.ca/
ph: 416-544-9461
=====================
| |
| Shaun Fryer 2004-11-12, 8:55 am |
| > inputErrorHandler($foo) unless testInput($foo);
Sorry for the typo. ;) Of course inputErrorHander() is upto you to create.
--
=====================
Shaun Fryer
=====================
http://sourcery.ca/
ph: 416-544-9461
=====================
|
|
|
|
|