Vulnerability Development mailing list archives
Re: Serious Hole in Comment/Discussior CGI srcipt
From: Ekke Vasli <ekke () CHAMBER EE>
Date: Sat, 28 Oct 2000 09:59:54 +0300
Alex Andrews wrote:
1) Remove the null character $input =~ s/\0//g; 2) Remove all the standard metacharacters (which are &;`'\"|*?~<>^()[]{}$\n\r ) $input =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;
I think it's better (and not so ugly ;o) just to allow the variable to be of a certain format.. be it $filename =~ /^\s+$/ or die("Crappy filename"); or $email =~ /^[[:alnum:]\.]@[([:alnum:]\.)+\s+]$/ or die("Uh-Oh"); Ok, the email check syntax might be even a bit more complicated but... Just the question of policy.. to allow all but some characters or to allow just a certain format of a variable.. -ekke
Current thread:
- Re: Serious Hole in Comment/Discussior CGI srcipt Alex Andrews (Oct 29)
- Re: Serious Hole in Comment/Discussior CGI srcipt Ekke Vasli (Oct 30)