Re: CERT Advisory CA-97.25 - CGI_metachar

[andrew () SQUIZ CO NZ (Andrew McNaughton)]

> Building on this philosophy, the Perl program we presented above could be
> thus sanitized to contain ONLY those characters allowed. For example:
>
>        #!/usr/cert/bin/perl
>        $_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
>        print "$user_data\n";
>        $OK_CHARS='a-zA-Z0-9_\-\.@';    # A restrictive list, which
>                                        # should be modified to match
>                                        # an appropriate RFC, for example.
>        eval "tr/[$OK_CHARS]/_/c";
>        $user_data = $_;
>        print "$user_data\n";
>        exit(0);

OK, lets test that.  Add a few lines like so...


#!/usr/cert/bin/perl

for (0..255) {
    $ENV{'QUERY_STRING'} .=chr($_);
}

$_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
#print "$user_data\n";
$OK_CHARS='a-zA-Z0-9_\-\.@';    # A restrictive list, which
                                        # should be modified to match
                                        # an appropriate RFC, for example.
eval "tr/[$OK_CHARS]/_/c";
s/_//g;
$user_data = $_;
print "$user_data\n";
exit(0);


prints:

-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]abcdefghijklmnopqrstuvwxyz


Those square brackets look unintended and possibly useful

Andrew McNaughton



 The effort to understand the universe is       Andrew McNaughton
 one of the very few things that lifts         Andrew () squiz co nz
 human life above the level of farce,
 and gives it some of the grace            http://www.squiz.co.nz
 of tragedy  -  Steven Weinberg         http://www.newsroom.co.nz