Re: [Dbix-class] Re: [Catalyst] untainting utf8 text for db
thanks! I've wondered about that. I'd like to see a formal definition of what does get through that filter. Hard to test it on, say, Mandarin CHinese when you don't know the language yourself. But I've a decent database of existing content, I could see if any of that fails this test. Thanks! [\w]+ works pretty well iirc, if your locale includes UTF-8. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Dbix-class] Re: [Catalyst] untainting utf8 text for db
of course. But how do you regex an inclusive list for any character in any human language ? On Fri, Jun 6, 2008 at 7:46 PM, Mesdaq, Ali [EMAIL PROTECTED] wrote: No escape sequence should get through if you reject any characters outside of the allowed characters. For example you could just reject the input and prompt for another input if this regex matches (?:[^a-zA-Z0-9 _]+) So escape sequences shouldn't affect this test. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: Daniel McBrearty [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2008 11:07 PM To: The elegant MVC web framework Cc: DBIx::Class user and developer list Subject: [Dbix-class] Re: [Catalyst] untainting utf8 text for db Thanks for the suggestions. Indeed, specifying a list of chars which is clean (e.g. [a-zA-Z0-9_] for a username in English) is optimum, and I prefer that. But when you are working with fully multilingual material, this becomes pretty much impossible. As the site in question is all about language learning and could eventually handle any language, that is the issue. Rejecting some of the suspicious chars you suggest is something I will do - but even that is not foolproof as there are various ways (more than one, IIRC, but I'm not sure what they all are) of using escape sequences to get through. Of the list you suggest, I'd need to keep (, ), ? - all the rest I could kill quite happily. Again, thanks for the input. I'm going to forward this to the DBIx::Class list (as that is probably where it should have gone in the first place). ___ List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class IRC: irc.perl.org#dbix-class SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/ Searchable Archive: http://www.grokbase.com/group/[EMAIL PROTECTED] Protected by Websense Messaging Security -- www.websense.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- Daniel McBrearty email : danielmcbrearty at gmail.com http://www.engoi.com http://danmcb.vox.com http://danmcb.blogger.com find me on linkedin and facebook BTW : 0873928131 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Dbix-class] Re: [Catalyst] untainting utf8 text for db
Daniel McBrearty wrote on 6/7/08 5:25 AM: of course. But how do you regex an inclusive list for any character in any human language ? [\w]+ works pretty well iirc, if your locale includes UTF-8. -- Peter Karman . http://peknet.com/ . [EMAIL PROTECTED] ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] untainting utf8 text for db
Thanks for the suggestions. Indeed, specifying a list of chars which is clean (e.g. [a-zA-Z0-9_] for a username in English) is optimum, and I prefer that. But when you are working with fully multilingual material, this becomes pretty much impossible. As the site in question is all about language learning and could eventually handle any language, that is the issue. Rejecting some of the suspicious chars you suggest is something I will do - but even that is not foolproof as there are various ways (more than one, IIRC, but I'm not sure what they all are) of using escape sequences to get through. Of the list you suggest, I'd need to keep (, ), ? - all the rest I could kill quite happily. Again, thanks for the input. I'm going to forward this to the DBIx::Class list (as that is probably where it should have gone in the first place). ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
RE: [Dbix-class] Re: [Catalyst] untainting utf8 text for db
No escape sequence should get through if you reject any characters outside of the allowed characters. For example you could just reject the input and prompt for another input if this regex matches (?:[^a-zA-Z0-9 _]+) So escape sequences shouldn't affect this test. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: Daniel McBrearty [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2008 11:07 PM To: The elegant MVC web framework Cc: DBIx::Class user and developer list Subject: [Dbix-class] Re: [Catalyst] untainting utf8 text for db Thanks for the suggestions. Indeed, specifying a list of chars which is clean (e.g. [a-zA-Z0-9_] for a username in English) is optimum, and I prefer that. But when you are working with fully multilingual material, this becomes pretty much impossible. As the site in question is all about language learning and could eventually handle any language, that is the issue. Rejecting some of the suspicious chars you suggest is something I will do - but even that is not foolproof as there are various ways (more than one, IIRC, but I'm not sure what they all are) of using escape sequences to get through. Of the list you suggest, I'd need to keep (, ), ? - all the rest I could kill quite happily. Again, thanks for the input. I'm going to forward this to the DBIx::Class list (as that is probably where it should have gone in the first place). ___ List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class IRC: irc.perl.org#dbix-class SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/ Searchable Archive: http://www.grokbase.com/group/[EMAIL PROTECTED] Protected by Websense Messaging Security -- www.websense.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] untainting utf8 text for db
On 5 Jun 2008, at 19:05, Daniel McBrearty wrote:
database contains text fields which can be in any language and contain
any text and punctuation
1. I am getting params back via a web form to create new records. What
do I do to validate input (apart from length check)?
2. I want to take a param and do a like(%$param%) search returning
matching records. How do I protect this?
You mean foo LIKE '%$param%' and its done by
$rs-search({ col = { -like = %$param% } })
-ash
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] untainting utf8 text for db
yes, that's what I meant. but does using the DBIx::Class construct
sanitise, provide safety and prevent unwanted babies though?
IIRC it does for creating records.
On Thu, Jun 5, 2008 at 8:10 PM, Ash Berlin [EMAIL PROTECTED] wrote:
On 5 Jun 2008, at 19:05, Daniel McBrearty wrote:
database contains text fields which can be in any language and contain
any text and punctuation
1. I am getting params back via a web form to create new records. What
do I do to validate input (apart from length check)?
2. I want to take a param and do a like(%$param%) search returning
matching records. How do I protect this?
You mean foo LIKE '%$param%' and its done by
$rs-search({ col = { -like = %$param% } })
-ash
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
--
Daniel McBrearty
email : danielmcbrearty at gmail.com
http://www.engoi.com
http://danmcb.vox.com
http://danmcb.blogger.com
find me on linkedin and facebook
BTW : 0873928131
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
RE: [Catalyst] untainting utf8 text for db
I inquired about this myself a few months ago. Consensus if I remember
correctly was that DBIC gives you some safety in that it uses place
holders but that does not mean your protected fully from bad input or
malicious abuse of that parameter. I personally like having input meet
specific requirements and if doesn't meet them then just reject it. But
that does not always fly especially if you HAVE to be flexible. Another
approach is rejecting input if it has characters or data that you know
you don't want or expect things like , %, (, ), \, /, ?, `, *, +, just
as some examples. I think its better to be more strict with input than
less strict especially if its public facing. If its internal then its
different story.
Thanks,
--
Ali Mesdaq (CISSP, GIAC-GREM)
Security Researcher II
Websense Security Labs
http://www.WebsenseSecurityLabs.com
--
-Original Message-
From: Daniel McBrearty [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2008 11:22 AM
To: The elegant MVC web framework
Subject: Re: [Catalyst] untainting utf8 text for db
yes, that's what I meant. but does using the DBIx::Class construct
sanitise, provide safety and prevent unwanted babies though?
IIRC it does for creating records.
On Thu, Jun 5, 2008 at 8:10 PM, Ash Berlin [EMAIL PROTECTED]
wrote:
On 5 Jun 2008, at 19:05, Daniel McBrearty wrote:
database contains text fields which can be in any language and
contain any text and punctuation
1. I am getting params back via a web form to create new records.
What do I do to validate input (apart from length check)?
2. I want to take a param and do a like(%$param%) search returning
matching records. How do I protect this?
You mean foo LIKE '%$param%' and its done by
$rs-search({ col = { -like = %$param% } })
-ash
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
--
Daniel McBrearty
email : danielmcbrearty at gmail.com
http://www.engoi.com
http://danmcb.vox.com
http://danmcb.blogger.com
find me on linkedin and facebook
BTW : 0873928131
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Protected by Websense Messaging Security -- www.websense.com
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
