Re: Opening a pipe when taint mode is enabled (was: Send email using SMTP)
Gunnar Hjalmarsson wrote:
Adam Jimerson wrote:
According to perlsec I need to use it as a key in a hash or reference a
substring. The example given is
,[ ]
if ($data =~ /^([...@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die Bad data in '$data'; # log this somewhere
}
`
When I tried it, using the same search string,
What happened then? Show us the code and possible error messages, please.
all I need is to check for
alphanumeric characters to cover the name, email address and a message.
Are there tainted email address and message variables also?
Is there something wrong with the above search string?
Only you can tell, I suppose...
I attached my code for my program, the error doesn't happen until the form
is filled out. The error that I get is Insecure dependency in piped open
while running with -T switch at /srv/www/cgi-bin/contact line 96. All the
variables that have user submitted content go through the above search
string as soon as the program retrieves it.
contact
Description: Perl program
--
To unsubscribe, e-mail: beginners-cgi-unsubscr...@perl.org
For additional commands, e-mail: beginners-cgi-h...@perl.org
http://learn.perl.org/
Re: Opening a pipe when taint mode is enabled (was: Send email using SMTP)
On Fri, Jan 9, 2009 at 6:30 PM, Adam Jimerson vend...@charter.net wrote:
Gunnar Hjalmarsson wrote:
Adam Jimerson wrote:
According to perlsec I need to use it as a key in a hash or reference a
substring. The example given is
,[ ]
if ($data =~ /^([...@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die Bad data in '$data'; # log this somewhere
}
`
When I tried it, using the same search string,
Is there something wrong with the above search string?
I attached my code for my program, the error doesn't happen until the form
is filled out. The error that I get is Insecure dependency in piped open
while running with -T switch at /srv/www/cgi-bin/contact line 96. All the
variables that have user submitted content go through the above search
string as soon as the program retrieves it.
Your regex for the name needs to include the space character. If someone
enters their first and last name with a space in between the regex will not
match, no assignment will be made and the $name variable will not be
untainted.
BTW - I missed this at first, but put some debugging code in after the regex
test which revealed the problem:
$name = param('Name');
if ($name =~ /^([...@\w. ]+)$/) {
$name = $1;
} else {
print font color=\red\Bad name ($name)/font\n; # mw debug
}
Mike
Opening a pipe when taint mode is enabled (was: Send email using SMTP)
Adam Jimerson wrote:
Gunnar Hjalmarsson wrote:
There is only one suspected variable to consider, i.e. $name, which is
probably tainted. Untaint it, and you are done. ( You remember where to
find out how, right? ;-) )
According to perlsec I need to use it as a key in a hash or reference a
substring. The example given is
,[ ]
if ($data =~ /^([...@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die Bad data in '$data'; # log this somewhere
}
`
When I tried it, using the same search string,
What happened then? Show us the code and possible error messages, please.
all I need is to check for
alphanumeric characters to cover the name, email address and a message.
Are there tainted email address and message variables also?
Is there something wrong with the above search string?
Only you can tell, I suppose...
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: beginners-cgi-unsubscr...@perl.org
For additional commands, e-mail: beginners-cgi-h...@perl.org
http://learn.perl.org/
