Nov 19, 2001, 2:30 AM
Post #2 of 2
I feel sorry for you...
It seams that gut is really nasty (considering the proxy story).
You have taken down your script I guess?
What kind of script is it? What makes him abuse it? If you can post a link to the source, it's easier to find the bugs.
You should always be careful with input. Use regexps to validate it. Try a regexp to find whether someone adss a 'CrLf' character in the string. There are also other codes that can be interpreted as a line break. See `perldoc perlport`.
You can use -Tw at the #! line. This is a bit difficult, and properly you need to change some code in your script IF you want to get this security flag work without taining errors. -T asumes that all your input is bad, and you need to validate, and extract the data using a regexp first. see `perldoc perlsec` Only then you're allowed to use the input data in system calls, etc..
One other thing... The input isn't used for a directory or something right? If so, you need to check for codes that make a jump to the previous directory, like ../../file.txt or ../../etc/pwd The last example would be terible if your script does something like `cat /home/yourname/$inputname` to display a file.
Hope you can do something with it.
Yet an Other Perl Programmer
Find out more about programming