|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andrew Simmons (andrew
zpok.demon.co.uk)Date: Mon Feb 04 2002 - 19:49:48 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
sjdatanet.hu wrote:
> I think some filtering after the line '$q = new CGI;' would help a little
>
> Eg.
>
> my $SECMSG = 'Pliz dont hekk us\n";
>
> if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
> my $xx = $q->param('cfg');
>
> if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
Eek! leaning toothpick syndrome!
if ($xx =~ m"\.\. | # if match '..' anywhere, or
// | # match '//' anywhere, or
\./ "x) { # match './' anywhere:
die $SECMSG;
}
Of course, as a general rule, it's better to take a leaf out of the
firewall admin's book: deny everything by default, then allow only
specific, known good patterns. For example, isn't this code prone to
fragility in the presence of hex-encoded characters?
\a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (CYGWIN_NT-4.0)
Comment: For info see http://www.gnupg.org
iD8DBQE8XzoKkZawWPzItK8RAiPEAJ9ZoMw1HyHT9IQ3dHHGTPjDiZ2WawCfUop/
Wg3BBi5iR0iP81E9RPqCbdk=
=IaK8
-----END PGP SIGNATURE-----
-- =( Andrew Simmons PGP public key: =( http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xFCC8B4AF =( Perl, security, net- and sys- admin, Linux, NT =( http://www.zpok.demon.co.uk/cv.(doc|txt)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]