Bugtraq mailing list archives
Re: CGI security: Escape newlines.
From: fc () all net (Fred Cohen)
Date: Tue, 6 Feb 1996 06:51:46 -0500
...
That document recommends removing or escaping the following characters in user-supplied data before passing it to a shell: ;<>*|`&$!#()[]{}:'"/ There is (at least) one character missing from this list: the new line character. I have never seen the new line character included in a list of metacharaters to filter.
... In my opinion, this is exactly the wrong way to go about providing adequate security. If you are going to limit syntax as a method for preventing abuse, you should not be eliminating symbols that are known to be dangerous, but rather retaining symbols that are known to be safe. Try retaining ONLY the desired symbols and eliminating all else - and more generally - allow only what must be allowed and by default, disallow all else. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Current thread:
- Re: bind() Security Problems Richard Black (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems Baba Z Buehler (Feb 05)
- passwd command in AIX 4.1.4 Dave Roberts (Feb 05)
- Re: passwd command in AIX 4.1.4 Chris Burris (Feb 05)
- Re: passwd command in AIX 4.1.4 JaDe (Feb 05)
- CGI security: Escape newlines. Jennifer Myers (Feb 05)
- Re: CGI security: Escape newlines. Dave Andersen (Feb 05)
- Re: CGI security: Escape newlines. Fred Cohen (Feb 06)
- [Fwd: HTTPd 1.5a Security Hole!!! (fwd)] Rogue Agent (Feb 06)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- abuse Red Hat 2.1 security hole David J Meltzer (Feb 02)
- resizecons Red Hat 2.1 security hole David J Meltzer (Feb 02)
- <Possible follow-ups>
- Re: bind() Security Problems Alan Cox (Feb 01)