Bugtraq mailing list archives
Re: CERT Advisory CA-97.25 - CGI_metachar
From: andrew () SQUIZ CO NZ (Andrew McNaughton)
Date: Tue, 11 Nov 1997 17:42:29 +1300
Building on this philosophy, the Perl program we presented above could be thus sanitized to contain ONLY those characters allowed. For example: #!/usr/cert/bin/perl $_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data print "$user_data\n"; $OK_CHARS='a-zA-Z0-9_\-\.@'; # A restrictive list, which # should be modified to match # an appropriate RFC, for example. eval "tr/[$OK_CHARS]/_/c"; $user_data = $_; print "$user_data\n"; exit(0);
OK, lets test that. Add a few lines like so... #!/usr/cert/bin/perl for (0..255) { $ENV{'QUERY_STRING'} .=chr($_); } $_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data #print "$user_data\n"; $OK_CHARS='a-zA-Z0-9_\-\.@'; # A restrictive list, which # should be modified to match # an appropriate RFC, for example. eval "tr/[$OK_CHARS]/_/c"; s/_//g; $user_data = $_; print "$user_data\n"; exit(0); prints: -.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]abcdefghijklmnopqrstuvwxyz Those square brackets look unintended and possibly useful Andrew McNaughton The effort to understand the universe is Andrew McNaughton one of the very few things that lifts Andrew () squiz co nz human life above the level of farce, and gives it some of the grace http://www.squiz.co.nz of tragedy - Steven Weinberg http://www.newsroom.co.nz
Current thread:
- Re: CERT Advisory CA-97.25 - CGI_metachar Andrew McNaughton (Nov 10)