CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
Cert Advisory 2000-02/Filtering Code HOW

 



Melissa
Deleted

Feb 9, 2000, 9:58 AM

Post #1 of 6 (551 views)
Cert Advisory 2000-02/Filtering Code HOW Can't Post

I didn't write the cgi/perl scripts that we use for our website, but I have to do the modifications to identify the special characters. (remove meta characters from user-supplied cgi scripts)
There are examples given, but I can't figure out where to put the examples in our scripts!!!
I think I like example2's way of doing it, but I don't know which is better!
Here are the examples, followed by my "guesses" on where I put them in my script(s).

Example1:
#! The first function takes the negative approach.
#! Use a list of bad characters to filter the data
sub FilterNeg {
local( $fd ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
return( $fd ) ;
}

#! The second function takes the positive approach.
#! Use a list of good characters to filter the data
sub FilterPos {
local( $fd ) = @_;
$fd =~ tr/A-Za-z0-9\ //dc;
return( $fd ) ;
}

$Data = "This is a test string<script>";
$Data = &FilterNeg( $Data );
print "$Data\n";

$Data = "This is a test string<script>";
$Data = &FilterPos( $Data );
print "$Data\n";

Example2:
#!/usr/local/bin/perl
$_=$user_data = $ENV{'QUERY_STRING'}; #Get the data
print "$user_data/n";
$OK_CHARS='-a-zA-Z0-9_.@'; # A restrictive list, which
# should be modified to match
# an appropriate RFC, for example.
s/[^$OK_CHARS]/_/go;
$user_data = $_;
print "$user_data\n";
exit(0);

---------------
script placement1?:
sub get_form_data {
# This function grabs the information from the browser and
# crams it into a $fields associated array.

# get the env variable and store it to the @prompts array
read(STDIN, $save_string, $ENV{CONTENT_LENGTH});
@prompts = split(/&/,$save_string);

# step through each variable, clean up the garbage, and store
# it to the @fields variable.
foreach (@prompts) {
($tmp1, $tmp2) = split(/=/,$_);

$tmp2 =~ s/\x2b/\x20/g;
$tmp2 =~ s/%2C/\x2c/g;
$tmp2 =~ s/%28/\x28/g;
$tmp2 =~ s/%29/\x29/g;
$tmp2 =~ s/%3A/:/g; #convert 3A to colon
$tmp2 =~ s/%40/\@/g; #at symbol
# $fields{'comment_line'} =~ s/%0D%0A/\n/g;

$fields{$tmp1} = &remove_escape_codes($tmp2);

}

} #end get_form_data


script placement2?:
sub check_form {

if (($fields{'conference'} eq "")
and ($fields{'tour'} eq "")
and ($fields{'icebreaker'} eq "")
and ($fields{'dinner'} eq "")
and ($fields{'golf'} eq ""))

{

$incomplete_form = TRUE;

}
} # end check_form

script placement2,another version of the check_from from another cgi script. this one checks to make sure it's an email address at least:
sub check_form {

if (($fields{'email'} eq "") &#0124; &#0124;
(!($fields{'email'} =~ /.+@.+/))) {
$missing_email = TRUE;
$incomplete_form = TRUE;
}
if ($fields{'name'} eq "") {
$missing_name = TRUE;
$incomplete_form = TRUE;
}
if ($fields{'phone'} eq "") {
$missing_phone = TRUE;
$incomplete_form = TRUE;
}

} #end check_form


Melissa
Deleted

Feb 14, 2000, 3:34 PM

Post #2 of 6 (551 views)
Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post

Moderators??? Anyone?
Am I the only one who has to rewrite the cgi/perl scripts to filter out the characters like <>#!

I thought scads of people would be rewriting just to strip out the code that someone could send through .... I've tested it. I can use straight html and cgi scripts through my forms.
(currently disabled to public. :-)


kencl
User

Feb 14, 2000, 9:21 PM

Post #3 of 6 (551 views)
Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post

I'm writing a subroutine which converts characters to their HTML equivalents, so that users can put up what they like. I'll post it once it's finished if you like.

PS - no idea what these icons mean! How about using the alt tags so that a balloon help pops up onmouseover.


Melissa
Deleted

Feb 15, 2000, 7:52 AM

Post #4 of 6 (551 views)
Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post

Now I'm really confused.....
kencl, I would really love to see your script when you are finished!!

Jasmine,I see what you mean by the subroutines that you posted for me, but I think the real problem is where they go, or what they are called, etc. in my script.

I tried using the code that I put under Example 2 in my first post, but all it did was strip out everything, completely.

I tried another version, using the subroutine named FilterNeg I have in Example 1 in my first post, but it doesn't do anything, because I can still submit those characters.

Here's the majority of my script, I'll try leave out the html part that gets displayed, or the part that prints to the database/flatfile.

I've left them in this script, they are commented out. Please look for the sub FilterNeg routine OR the part right under the read(STDIN) in the beginning that does the $OK_CHARS because those are the two that I've been trying to get to work, one or the other, I don't care at this point...

Please don't hate me!!!!!

#!/usr/bin/perl
#
# Program: dummy.cgi
#

#
# Main
#
{
&init;

&show_standard_html_heading;

&get_form_data;

# &FilterNeg;

&check_form;

if ($incomplete_form eq FALSE) {

&store_form;

# Include the user's email in the e-mail list.
if ($fields{'email'}) {
push(@mail_user, $fields{'email'});
}

&send_email;

&notify_sender;

}

else {
&redisplay_page;

}

&show_standard_html_ending;
}

#
# End of Main
#

sub get_form_data {
# This function grabs the information from the browser and
# crams it into a $fields associated array.

# get the env variable and store it to the @prompts array
read(STDIN, $save_string, $ENV{CONTENT_LENGTH});
# $_=$save_string = $ENV{'QUERY_STRING'};
# print "$save_string\n";
# $OK_CHARS='-a-zA-Z0-9_.@';
# s/[^$OK_CHARS]/_/g;
# $save_string = $_;
# print "$save_string\n";
@prompts = split(/&/,$save_string);

# step through each variable, clean up the garbage, and store
# it to the @fields variable.
foreach (@prompts) {
($tmp1, $tmp2) = split(/=/,$_);

$tmp2 =~ s/\x2b/\x20/g;
$tmp2 =~ s/%2C/\x2c/g;
$tmp2 =~ s/%28/\x28/g;
$tmp2 =~ s/%29/\x29/g;
$tmp2 =~ s/%3A/:/g; #convert 3A to colon
$tmp2 =~ s/%40/\@/g; #at symbol

$fields{$tmp1} = &remove_escape_codes($tmp2);

}

} #end get_form_data


sub show_standard_html_heading {
print "Content-TYPE: text/html\n\n";

print <<EOM
<HTML>

<HEAD>
<TITLE>Conference</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" LINK=blue>
EOM

} #end show_standard_html_heading


sub show_standard_html_ending {
print "</FORM>";
print "</BODY>";
print "</HTML>";
} #end show_standard_html_ending


sub init {
$server_root = "/usr/netscape/suitespot/https-server/logs/";

# Push to as many users as necessary.
push(@mail_user, "user\@domain.com");

$registration_file = $server_root."regtest.db";

$date_string = &get_date;

$incomplete_form = FALSE;

} #end init


sub FilterNeg {
local($fd) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\=\!\&\+]//g;
return $fd;

} #end FilterNeg


sub check_form {

if (($fields{'conference'} eq "")
and ($fields{'tour'} eq "")
and ($fields{'icebreaker'} eq "")
and ($fields{'dinner'} eq "")
and ($fields{'golf'} eq ""))

{

$incomplete_form = TRUE;

}
} # end check_form

-----------------I didn't includee this part that is the HTML display and the form that gets submitted to a flatfile database and emails the users--------------

sub remove_escape_codes {
# Take out all of the goofy escape codes that
# the server likes to put in.
local($variable, $keep_colon) = @_;
$variable =~ s/\x2b/\x20/g;
$variable =~ s/%2C/\x2c/g;
$variable =~ s/%28/\x28/g; #convert 28 to left paren
$variable =~ s/%29/\)/g; #convert 29 to righ paren
$variable =~ s/%3A/\x3a/g; #convert 3A to colon
$variable =~ s/\+/ /g;
$variable =~ s/%26/\&/g;
$variable =~ s/%27/\'/g;
$variable =~ s/%2F/\//g; # slash (erased)
$variable =~ s/%3F/\?/g; # question mark
$variable =~ s/%21/!/g; # exclamation mark
$variable =~ s/%23/#/g; # pound sign
$variable =~ s/%24/\$/g; # dollar sign
$variable =~ s/%25/\%/g; # percent sign
$variable =~ s/%5E/^/g; # carrot
$variable =~ s/%2B/+/g; # plus
$variable =~ s/%3D/=/g; # equal
$variable =~ s/%7C/\|/g; # pipe
$variable =~ s/%60/\`/g; # aprostrophe
$variable =~ s/%7E/\~/g; # tilde
$variable =~ s/%3C/\</g; # less than symbol
$variable =~ s/%3E/\>/g; # greater than symbol
$variable =~ s/%3B/\;/g; # semi colon
$variable =~ s/%22/\"/g; # quote
$variable =~ s/%5B/[/g; # left bracket
$variable =~ s/%5D/]/g; # right bracket
$variable =~ s/%7B/\{/g; # left brace
$variable =~ s/%7D/\}/g; # right brace
$variable =~ s/%09/\t/g; # tab
$variable =~ s/:/-/g; # colon
$variable =~ s/%0D%0A/\n\t/g; # Carriage Return/Line Feed

return $variable;
}


sub get_date {
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
if ($min < 10) {
$min = "0".$min;
}
if ($sec < 10) {
$sec = "0".$sec;
}

# Increment the month by one because PERL's months
# are in the range of 0..11. Weird, huh?
$mon++;
$year %=100;

$ydate_string = "$year$mon$mday";
$xdate_string = "$mon$mday$year";
$date_string = sprintf("%02d:%02d:%02d %02d/%02d/%02d",$hour,$min,$sec,$mon,$mday,$year);
return $date_string;
return $xdate_string;
} #end get_date

# End of file #



Jasmine
Administrator / Moderator

Feb 15, 2000, 10:13 AM

Post #5 of 6 (551 views)
Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post

If you're looking just to escape html characters < > to prevent inappropriate code, you can just use:

<BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR>


$toencode=~s/&/&/g;
$toencode=~s/\"/"/g;
$toencode=~s/>/>/g;
$toencode=~s/</</g;
</pre><HR></BLOCKQUOTE>

$toencode represents the variable that you want to change < > " and & to their non-parsing equivalents.

If you're receiving data via the QUERY_STRING, that is, your program can have a url like yourprogram.com?this=that you'll need to encode and decode the string. You can use the following subroutines (from CGI.pm):

<BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR>


# unescape URL-encoded data
sub unescape {
my($todecode) = @_;
$todecode =~ tr/+/ /; # pluses become spaces
$todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
return $todecode;
}

# URL-encode data
sub escape {
my($toencode) = @_;
$toencode=~s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/eg;
return $toencode;
}

</pre><HR></BLOCKQUOTE>

If any of this is confusing, please post back and we'll be pleased to elaborate.

Good luck!


Melissa
Deleted

Feb 16, 2000, 8:36 AM

Post #6 of 6 (551 views)
Re: Cert Advisory 2000-02/Filtering Code HOW [In reply to] Can't Post

I had some luck with this yesterday. I posted it all under "Substituting Characters with Underscore"

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives