CGI/Perl Guide | Learning Center | Forums | Advertise | Login Site Search: in Perl Guide PerlGuru Forums Learning Ctr

	MAIN INDEX	SEARCH POSTS	WHO'S ONLINE	LOG IN

Home: Perl Programming Help: Beginner: Cert Advisory 2000-02/Filtering Code HOW

Melissa Deleted Feb 9, 2000, 9:58 AM Post #1 of 6 (323 views) Cert Advisory 2000-02/Filtering Code HOW Can't Post I didn't write the cgi/perl scripts that we use for our website, but I have to do the modifications to identify the special characters. (remove meta characters from user-supplied cgi scripts) There are examples given, but I can't figure out where to put the examples in our scripts!!! I think I like example2's way of doing it, but I don't know which is better! Here are the examples, followed by my "guesses" on where I put them in my script(s). Example1: #! The first function takes the negative approach. #! Use a list of bad characters to filter the data sub FilterNeg { local( $fd ) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g; return( $fd ) ; } #! The second function takes the positive approach. #! Use a list of good characters to filter the data sub FilterPos { local( $fd ) = @_; $fd =~ tr/A-Za-z0-9\ //dc; return( $fd ) ; } $Data = "This is a test string<script>"; $Data = &FilterNeg( $Data ); print "$Data\n"; $Data = "This is a test string<script>"; $Data = &FilterPos( $Data ); print "$Data\n"; Example2: #!/usr/local/bin/perl $_=$user_data = $ENV{'QUERY_STRING'}; #Get the data print "$user_data/n"; $OK_CHARS='-a-zA-Z0-9_.@'; # A restrictive list, which # should be modified to match # an appropriate RFC, for example. s/[^$OK_CHARS]/_/go; $user_data = $_; print "$user_data\n"; exit(0); --------------- script placement1?: sub get_form_data { # This function grabs the information from the browser and # crams it into a $fields associated array. # get the env variable and store it to the @prompts array read(STDIN, $save_string, $ENV{CONTENT_LENGTH}); @prompts = split(/&/,$save_string); # step through each variable, clean up the garbage, and store # it to the @fields variable. foreach (@prompts) { ($tmp1, $tmp2) = split(/=/,$_); $tmp2 =~ s/\x2b/\x20/g; $tmp2 =~ s/%2C/\x2c/g; $tmp2 =~ s/%28/\x28/g; $tmp2 =~ s/%29/\x29/g; $tmp2 =~ s/%3A/:/g; #convert 3A to colon $tmp2 =~ s/%40/\@/g; #at symbol # $fields{'comment_line'} =~ s/%0D%0A/\n/g; $fields{$tmp1} = &remove_escape_codes($tmp2); } } #end get_form_data script placement2?: sub check_form { if (($fields{'conference'} eq "") and ($fields{'tour'} eq "") and ($fields{'icebreaker'} eq "") and ($fields{'dinner'} eq "") and ($fields{'golf'} eq "")) { $incomplete_form = TRUE; } } # end check_form script placement2,another version of the check_from from another cgi script. this one checks to make sure it's an email address at least: sub check_form { if (($fields{'email'} eq "") &#0124; &#0124; (!($fields{'email'} =~ /.+@.+/))) { $missing_email = TRUE; $incomplete_form = TRUE; } if ($fields{'name'} eq "") { $missing_name = TRUE; $incomplete_form = TRUE; } if ($fields{'phone'} eq "") { $missing_phone = TRUE; $incomplete_form = TRUE; } } #end check_form

Melissa Deleted Feb 14, 2000, 3:34 PM Post #2 of 6 (323 views) Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post Moderators??? Anyone? Am I the only one who has to rewrite the cgi/perl scripts to filter out the characters like <>#! I thought scads of people would be rewriting just to strip out the code that someone could send through .... I've tested it. I can use straight html and cgi scripts through my forms. (currently disabled to public. :-)

kencl User Feb 14, 2000, 9:21 PM Post #3 of 6 (323 views) Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post I'm writing a subroutine which converts characters to their HTML equivalents, so that users can put up what they like. I'll post it once it's finished if you like. PS - no idea what these icons mean! How about using the alt tags so that a balloon help pops up onmouseover.

Melissa Deleted Feb 15, 2000, 7:52 AM Post #4 of 6 (323 views) Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post Now I'm really confused..... kencl, I would really love to see your script when you are finished!! Jasmine,I see what you mean by the subroutines that you posted for me, but I think the real problem is where they go, or what they are called, etc. in my script. I tried using the code that I put under Example 2 in my first post, but all it did was strip out everything, completely. I tried another version, using the subroutine named FilterNeg I have in Example 1 in my first post, but it doesn't do anything, because I can still submit those characters. Here's the majority of my script, I'll try leave out the html part that gets displayed, or the part that prints to the database/flatfile. I've left them in this script, they are commented out. Please look for the sub FilterNeg routine OR the part right under the read(STDIN) in the beginning that does the $OK_CHARS because those are the two that I've been trying to get to work, one or the other, I don't care at this point... Please don't hate me!!!!! #!/usr/bin/perl # # Program: dummy.cgi # # # Main # { &init; &show_standard_html_heading; &get_form_data; # &FilterNeg; &check_form; if ($incomplete_form eq FALSE) { &store_form; # Include the user's email in the e-mail list. if ($fields{'email'}) { push(@mail_user, $fields{'email'}); } &send_email; &notify_sender; } else { &redisplay_page; } &show_standard_html_ending; } # # End of Main # sub get_form_data { # This function grabs the information from the browser and # crams it into a $fields associated array. # get the env variable and store it to the @prompts array read(STDIN, $save_string, $ENV{CONTENT_LENGTH}); # $_=$save_string = $ENV{'QUERY_STRING'}; # print "$save_string\n"; # $OK_CHARS='-a-zA-Z0-9_.@'; # s/[^$OK_CHARS]/_/g; # $save_string = $_; # print "$save_string\n"; @prompts = split(/&/,$save_string); # step through each variable, clean up the garbage, and store # it to the @fields variable. foreach (@prompts) { ($tmp1, $tmp2) = split(/=/,$_); $tmp2 =~ s/\x2b/\x20/g; $tmp2 =~ s/%2C/\x2c/g; $tmp2 =~ s/%28/\x28/g; $tmp2 =~ s/%29/\x29/g; $tmp2 =~ s/%3A/:/g; #convert 3A to colon $tmp2 =~ s/%40/\@/g; #at symbol $fields{$tmp1} = &remove_escape_codes($tmp2); } } #end get_form_data sub show_standard_html_heading { print "Content-TYPE: text/html\n\n"; print <<EOM <HTML> <HEAD> <TITLE>Conference</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" LINK=blue> EOM } #end show_standard_html_heading sub show_standard_html_ending { print "</FORM>"; print "</BODY>"; print "</HTML>"; } #end show_standard_html_ending sub init { $server_root = "/usr/netscape/suitespot/https-server/logs/"; # Push to as many users as necessary. push(@mail_user, "user\@domain.com"); $registration_file = $server_root."regtest.db"; $date_string = &get_date; $incomplete_form = FALSE; } #end init sub FilterNeg { local($fd) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\=\!\&\+]//g; return $fd; } #end FilterNeg sub check_form { if (($fields{'conference'} eq "") and ($fields{'tour'} eq "") and ($fields{'icebreaker'} eq "") and ($fields{'dinner'} eq "") and ($fields{'golf'} eq "")) { $incomplete_form = TRUE; } } # end check_form -----------------I didn't includee this part that is the HTML display and the form that gets submitted to a flatfile database and emails the users-------------- sub remove_escape_codes { # Take out all of the goofy escape codes that # the server likes to put in. local($variable, $keep_colon) = @_; $variable =~ s/\x2b/\x20/g; $variable =~ s/%2C/\x2c/g; $variable =~ s/%28/\x28/g; #convert 28 to left paren $variable =~ s/%29/\)/g; #convert 29 to righ paren $variable =~ s/%3A/\x3a/g; #convert 3A to colon $variable =~ s/\+/ /g; $variable =~ s/%26/\&/g; $variable =~ s/%27/\'/g; $variable =~ s/%2F/\//g; # slash (erased) $variable =~ s/%3F/\?/g; # question mark $variable =~ s/%21/!/g; # exclamation mark $variable =~ s/%23/#/g; # pound sign $variable =~ s/%24/\$/g; # dollar sign $variable =~ s/%25/\%/g; # percent sign $variable =~ s/%5E/^/g; # carrot $variable =~ s/%2B/+/g; # plus $variable =~ s/%3D/=/g; # equal $variable =~ s/%7C/\|/g; # pipe $variable =~ s/%60/\`/g; # aprostrophe $variable =~ s/%7E/\~/g; # tilde $variable =~ s/%3C/\</g; # less than symbol $variable =~ s/%3E/\>/g; # greater than symbol $variable =~ s/%3B/\;/g; # semi colon $variable =~ s/%22/\"/g; # quote $variable =~ s/%5B/[/g; # left bracket $variable =~ s/%5D/]/g; # right bracket $variable =~ s/%7B/\{/g; # left brace $variable =~ s/%7D/\}/g; # right brace $variable =~ s/%09/\t/g; # tab $variable =~ s/:/-/g; # colon $variable =~ s/%0D%0A/\n\t/g; # Carriage Return/Line Feed return $variable; } sub get_date { ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); if ($min < 10) { $min = "0".$min; } if ($sec < 10) { $sec = "0".$sec; } # Increment the month by one because PERL's months # are in the range of 0..11. Weird, huh? $mon++; $year %=100; $ydate_string = "$year$mon$mday"; $xdate_string = "$mon$mday$year"; $date_string = sprintf("%02d:%02d:%02d %02d/%02d/%02d",$hour,$min,$sec,$mon,$mday,$year); return $date_string; return $xdate_string; } #end get_date # End of file #

Jasmine Administrator / Moderator Feb 15, 2000, 10:13 AM Post #5 of 6 (323 views) Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post If you're looking just to escape html characters < > to prevent inappropriate code, you can just use: <BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR> $toencode=~s/&/&/g; $toencode=~s/\"/"/g; $toencode=~s/>/>/g; $toencode=~s/</</g; </pre><HR></BLOCKQUOTE> $toencode represents the variable that you want to change < > " and & to their non-parsing equivalents. If you're receiving data via the QUERY_STRING, that is, your program can have a url like yourprogram.com?this=that you'll need to encode and decode the string. You can use the following subroutines (from CGI.pm): <BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR> # unescape URL-encoded data sub unescape { my($todecode) = @_; $todecode =~ tr/+/ /; # pluses become spaces $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge; return $todecode; } # URL-encode data sub escape { my($toencode) = @_; $toencode=~s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/eg; return $toencode; } </pre><HR></BLOCKQUOTE> If any of this is confusing, please post back and we'll be pleased to elaborate. Good luck!

Melissa Deleted Feb 16, 2000, 8:36 AM Post #6 of 6 (323 views) Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post I had some luck with this yesterday. I posted it all under "Substituting Characters with Underscore"

Announcements     PerlGuru Announcements Perl Programming Help     Frequently Asked Questions     Beginner     Intermediate     Advanced     Regular Expressions     mod_perl     DBI     Win32 Programming Help Fun With Perl     Perl Quizzes - Learn Perl the Fun Way     Perl Golf     Perl Poetry Need a Custom or Prewritten Perl Program?     I need a program that...     I Need a Programmer for Freelance Work     Throw Down The Gauntlet General Discussions     General Questions     Feedback     Tutorial/Article Suggestions for The Learning Cent     Internet Security Other Programming Languages     Javascript     PHP

Search this forum this category all forums for All words Any words Whole Phrase (options)

Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives