Full Disclosure mailing list archives
Re: [anti-XSS]about CERT/CC:malicious_code_mitigation
From: Valdis.Kletnieks () vt edu
Date: Mon, 09 Aug 2004 13:29:15 -0400
On Sat, 07 Aug 2004 06:25:00 -0000, bitlance winter said:
#! The first function takes the negative approach. #! Use a list of bad characters to filter the data sub FilterNeg { local( $fd ) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g; return( $fd ) ; }
*BZZT!!* Wrong. Don't do this in production code, because...
I have understood that bad characters are < > " ' % ; ) ( & +
If it turns out that * (asterisk) is a "bad character", you're screwed. If it turns out that *any other* character is "bad", you're screwed. The *proper* way to do the filtering is to *remove* *all* characters not known to be good. Something like: $fd =~ s/[^-_ a-zA-Z0-9]//g; Only pass alphabetic, numeric, space, hyphen, and underscore. Add other characters *only* if you can show they are *not* a problem.
Attachment:
_bin
Description:
Current thread:
- [anti-XSS]about CERT/CC:malicious_code_mitigation bitlance winter (Aug 07)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Dave Horsfall (Aug 10)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 10)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
- <Possible follow-ups>
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation auto269562 (Aug 10)