|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: b0iler _ (b0iler
hotmail.com)Date: Wed Feb 06 2002 - 20:36:47 CST
>sjdatanet.hu wrote:
>>I think some filtering after the line '$q = new CGI;' would help a little
>>
>>Eg.
>>
>>my $SECMSG = 'Pliz dont hekk us\n";
>>
>>if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
>>my $xx = $q->param('cfg');
>>
>>if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
>Eek! leaning toothpick syndrome!
>
> if ($xx =~ m"\.\. | # if match '..' anywhere, or
> // | # match '//' anywhere, or
> \./ "x) { # match './' anywhere:
> die $SECMSG;
> }
>
>Of course, as a general rule, it's better to take a leaf out of the
>firewall admin's book: deny everything by default, then allow only
>specific, known good patterns. For example, isn't this code prone to
>fragility in the presence of hex-encoded characters?
Yes, great advice. also watch out for flying \'s. Even though you are
filtering which is good, one mistake can make your perl dirty and of little
worth. Setting $q->param('cfg') to .\.\/ will make it past these filters and
hekk you. A nice way of filtering is to filter out meta characters first,
then the double dot, or the best method - "deny everything by default".
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]