On Wed, 13 Oct 1999, Ruben I Safir wrote:
> Matt -
>
> I share your sentiments but I would like to point out a few things about
> the use of CGI.pm and Embperl and/or Modperl which which would be
> different then if I was writing the uudecoding by my self.
>
> Normally, I would parse out metachars in the processes of decoding input
> from the browser. When I use embperl, (and CGI.pm by default),
> everything is in a nice HASH for me. What's to stop someone from
> entering metachars of {}, or other perl code into a field and have it
> processed by embperl?
What's unsafe about this per-se? Only if you use that data in an unsafe way
without first doing a check on that data is it truly unsafe. There's
nothing different about this to a C CGI app that doesn't check a parameter
that writes to a file doesn't contain #!/bin/sh or a filename doesn't
contain "..".
> My own decoding routines only let in what I deem safe. CGI.pm is doing
> this for me.
There's no difference that I can see in doing your own decoding and
checking and letting CGI.pm do the decoding and then you do your own
checking. Either way you have to do your own checking.
--
<Matt/>
Details: FastNet Software Ltd - XML, Perl, Databases.
Tagline: High Performance Web Solutions
Web Sites: http://come.to/fastnet http://sergeant.org
Available for Consultancy, Contracts and Training.
