Re: Coding Conservative CGI Perl

[FX <fx () phenoelit de>]

> This is why I raise the question here on what can be done in perl without
> the use of spaces.

It doesn't matter what you want to do. One solution is used in many shell
codes: encode the program code and decode it on the fly.

To encode any perl program with a simple monoalphabetic substitution, you
could use this script:

---encode.pl---
#!/usr/bin/perl 

while (<STDIN>) {
    chomp;
    $_=~s/(.)/chr(ord($1)+3)/ge;
    print;
}
---

The encoded perl script can have as many spaces as you can wish for.

example:
# echo 'print "my perl prog\n";' | ./encode.pl
will give you something like this:
sulqw#%p|#shuo#surj_q%>

Now, your CGI looks like this:
#!/usr/bin/perl 
$D="sulqw#%p|#shuo#surj_q%>";$D=~s/(.)/chr(ord($1)-3)/ge;eval($D);

Note the absense of any spaces. Using the same or any other encoding that is
convinient for you (such as XOR with pattern 0x55, encode in hex, etc.), you 
can upload code with spaces and other forbidden characters and execute it 
anyway.

The power of eval().

Peace,
FX

-- 
         FX           <fx () phenoelit de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564