CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
Strip characters

 



mmcw
User

Dec 4, 2000, 8:50 AM

Post #1 of 3 (492 views)
Strip characters Can't Post

What characters should be stripped from an input fiedl for a script so the input field can not be used for abuse of the script??


Pasha
Deleted

Jan 7, 2001, 5:15 AM

Post #2 of 3 (487 views)
Re: Strip characters [In reply to] Can't Post

No stripping required :) Here's all you need:

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
if ($INPUT{$name}) { $INPUT{$name} = $INPUT{$name}.",".$value; }
else { $INPUT{$name} = $value; }
}



Best regards,

Pasha


$500/day for webmasters!


BigRich
Novice

Jan 7, 2001, 6:23 AM

Post #3 of 3 (485 views)
Re: Strip characters [In reply to] Can't Post

It's much easier to tell your script to check for data that is ok than to try to tell it what not to accept.

perldoc perlsec goes into the details of untainting data.

### From perlsec

Here's a test to make sure that the data contains nothing but ``word'' characters (alphabetics, numerics, and underscores), a hyphen, an at sign, or a dot.


if ($data =~ /^([-\@\w.]+)$/) {

$data = $1; # $data now untainted

} else {

die "Bad data in $data"; # log this somewhere

}
This is fairly secure because /\w+/ doesn't normally match shell metacharacters, nor are dot, dash, or at going to mean something special to the shell. Use of /.+/ would have been insecure in theory because it lets everything through, but Perl doesn't check for that. The lesson is that when untainting, you must be exceedingly careful with your patterns. Laundering data using regular expression is the only mechanism for untainting dirty data, unless you use the strategy detailed below to fork a child of lesser privilege.

The example does not untaint $data if use locale is in effect, because the characters matched by \w are determined by the locale. Perl considers that locale definitions are untrustworthy because they contain data from outside the program. If you are writing a locale-aware program, and want to launder data with a regular expression containing \w, put no locale ahead of the expression in the same block. See SECURITY in the perllocale manpage for further discussion and examples.

#########

see perldoc perlsec for more info


BigRich


 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives