[GLLUG] CGI/Perl Script

Adam McDougall mcdouga9@egr.msu.edu
Tue, 20 Aug 2002 14:39:40 -0400 

On Tue, Aug 20, 2002 at 11:14:41AM -0400, Melson, Paul wrote:

  I've got to agree 100% with Dennis here.  Any time you're passing
  user-supplied data to a shell, `perl -T` is a must.  I'd recommend
  normalizing your input like this:
  
  #!/usr/bin/perl -T
  
  use CGI qw/:standard *table/;
  
  my $path1 = url_param('path1');
  
  if ($path1 =~ /^([-\w.]+)$/) {
  	$path1 = $1;
  } else {
  	die "Bad hacker, no donut!";
  }
  
  
  That should allow A-Za-z0-9 as well as '~' and '.' through while
  untainting $path1, and cause your script to die if it detects anything
  else (like a '&' or ';').  That's a pretty basic example (and the syntax
  may not be perfect - I didn't test it, and I concede to being rusty),
  but that's pretty much what you want to be doing with all of your user
  supplied data.  Only untaint variables that have been checked against
  _well-defined_ conditions.  Good luck!


I really wish I could allow A-Za-z0-9 except I have to accept just
about any non-harmful filename that a windows user could create.
Currently I am cleaning it up using s/\.\.\///g for directory 
traversal and s/[\\\/\:\*\?\"\<\>\|]//g to get rid of some characters
windows claims not to support in a filename: \ / : * ? " < > |

Fortunately, the only people that will have access to the url of 
the script are paid employees who must authenticate, so if they
try something tricky, they can get whacked. 

  
  PaulM
  
  PS - What's the final purpose of your script?
  
I need to accept a partial file path as input to compare that
file on the server with a directory containing a bunch of 
reference files.  I have it all functioning already with
pretty paranoid file handling, I just needed to better 
safeguard the file path input. 



  
  -----Original Message-----
  From: Dpk [mailto:dpk@egr.msu.edu]
  Sent: Tuesday, August 20, 2002 10:28 AM
  To: Daniel
  Cc: Adam McDougall; Matt Graham; linux-user@egr.msu.edu
  Subject: Re: [GLLUG] CGI/Perl Script
  
  
  Personally, I would avoid using cgi-lib.pl.  It is non-standard and
  isn't as scalable as CGI.pm.
  
  #!/usr/bin/perl -T
  
  use CGI qw/:standard *table/;
  
  my $path1 = url_param('path1');
  my $path2 = url_param('path2');
  
  With user defined paths, make sure you use taint perl (the -T switch)
  and do heavy data scrubbing before passing to the system.  If at all
  possible, I would avoid using a user defined path to a file
  altogether.
  
  Adam, I'm suprised you posted this request when you have 1000s of
  lines of wonderfully written CGI/perl code at your disposal here at
  work :)
  
  Dpk
  
  _______________________________________________
  linux-user mailing list
  linux-user@egr.msu.edu
  http://www.egr.msu.edu/mailman/listinfo/linux-user