Re: Serious Hole in Comment/Discussior CGI srcipt

[Alex Andrews <alex () binarygod co uk>]

Hi guys
The issue of input to perl programs is covered in great depth by rain
forest puppy in his article for phrack magazine
(phrack 55, article 7) which i attach. In summary perl has problems with
null characters and metacharacters but these may easily removed  using
s//;. Remember one of cgi programmings most important laws...never trust
user input.

1) Remove the null character
        $input =~ s/\0//g;

2) Remove all the standard metacharacters (which are
&;`'\"|*?~<>^()[]{}$\n\r )
        $input =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;

It is simple enough for some with even a basic knowledge of perl to add
these to the script (coders can patch them quickly also).
In the example program you might want to add these two lines
There is another point mentioned in the article but it hasnt been mentioned
on this list...so ill just leave it
for you to discover (its called the pesky pipe problem!).

Thanks for listening
alex



--
Freedom is the freedom to say that two plus two is four. If granted all
else follows

Attachment: P55-07.txt
Description: