Re: CERT Advisory CA-97.25 - CGI_metachar

Andrew McNaughton (andrew@SQUIZ.CO.NZ)
Tue, 11 Nov 1997 17:42:29 +1300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Missing creditation on Cyrix coma bug"
Previous message: David LeBlanc: "Re: L0pht Advisory: IE4.0"
Maybe in reply to: Aleph One: "CERT Advisory CA-97.25 - CGI_metachar"
Next in thread: Greg Bacon: "Re: CERT Advisory CA-97.25 - CGI_metachar"

>Building on this philosophy, the Perl program we presented above could be
>thus sanitized to contain ONLY those characters allowed. For example:
>
> #!/usr/cert/bin/perl
> $_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
> print "$user_data\n";
> $OK_CHARS='a-zA-Z0-9_\-\.@'; # A restrictive list, which
> # should be modified to match
> # an appropriate RFC, for example.
> eval "tr/[$OK_CHARS]/_/c";
> $user_data = $_;
> print "$user_data\n";
> exit(0);
>

OK, lets test that. Add a few lines like so...

#!/usr/cert/bin/perl

for (0..255) {
$ENV{'QUERY_STRING'} .=chr($_);
}

$_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
#print "$user_data\n";
$OK_CHARS='a-zA-Z0-9_\-\.@'; # A restrictive list, which
# should be modified to match
# an appropriate RFC, for example.
eval "tr/[$OK_CHARS]/_/c";
s/_//g;
$user_data = $_;
print "$user_data\n";
exit(0);

prints:

-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]abcdefghijklmnopqrstuvwxyz

Those square brackets look unintended and possibly useful

Andrew McNaughton

The effort to understand the universe is Andrew McNaughton
one of the very few things that lifts Andrew@squiz.co.nz
human life above the level of farce,
and gives it some of the grace http://www.squiz.co.nz
of tragedy - Steven Weinberg http://www.newsroom.co.nz

Next message: Alan Cox: "Missing creditation on Cyrix coma bug"
Previous message: David LeBlanc: "Re: L0pht Advisory: IE4.0"
Maybe in reply to: Aleph One: "CERT Advisory CA-97.25 - CGI_metachar"
Next in thread: Greg Bacon: "Re: CERT Advisory CA-97.25 - CGI_metachar"