Dave Cobb wrote:
>Stephen Turner wrote:
>
>> On Thu, 2 Dec 1999, Dave Cobb wrote:
>> > Rundown: form details (e.g. commands) are passed to ASP script,
>> > script gets form values splits them into appropriate command names
>> > and commands, these are concatenated into a command line string
>> > which formats the output using the +C command.
>>
>> You're editing out the commands in anlgform.pl's @forbidden array are
>> you?
>
>No. See below
>
>> Do you obey the same syntax as anlgform? For example, FLOORA and
>> FLOORB, or COMMAND1 and COMMAND2. Or will people need new forms as
>> well?
>
>The way which it works is that ANY command can be passed from the form,
>this makes it futureproof - BUT here is the security risk. If any
>command is passed then someone can hack the commands passed from the
>form and execute anything on a command line basis. Therefore parsing
>form contents is required, e.g. no carriage returns or \n\r, etc..
You're reinventing the wheel - the techniques in the perl script are
well thought out, and it makes more sense to implement these techniques
in an ASP script than to use a totally new methodology. I don't see
futureproofing as an issue - there are certain commands that simply
aren't appropriate in the Web interface, and it is important to filter
them out.
Aengus
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/[email protected]/
------------------------------------------------------------------------
