On Thu, 2 Dec 1999, Dave Cobb wrote:
> >
> > This is not quite enough for analog. Some non-alphanumeric characters are
> > also needed, for example in filenames, or FROM and TO strings.
>
> I thought FROM & TO commands were numeric,e.g. 990303?
>
Not necessarily. The syntax allows + and - too. HOSTNAME often needs an
ampersand. There are lots of cases where alphanumeric is not sufficient.
If you look at the Perl script, you will see the rules I devised.
> The way which it works is that ANY command can be passed from the form,
> this makes it futureproof - BUT here is the security risk. If any command
> is passed then someone can hack the commands passed from the form and
> execute anything on a command line basis. Therefore parsing form contents
> is required, e.g. no carriage returns or \n\r, etc..
>
This is not sufficient to be secure. You need to exclude certain commands as
well. There is extensive documentation on this in docs/form.html. If you're
not just going to translate the Perl directly into ASP you really need to
understand these issues. They are extremely subtle, and I've already been
bitten by them twice. But I've also thought about them extremely carefully,
and documented my conclusions, so I really recommend you use my experience.
--
Stephen Turner [EMAIL PROTECTED] http://www.statslab.cam.ac.uk/~sret1/
Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England
"As always, it's considered good practice to temporarily disable any
virus detection software prior to installing new software." (Netscape)
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/[email protected]/
------------------------------------------------------------------------
