George Vieira wrote:
> I am submitting a FORM on a web page and want to make sure noone tries to
> exploit commands submitted to the POST action, so PerlDocs showed something
> like this...
>
> if ($data =~ /^([-\@\w.]+)$/) {
> $data = $1; # $data now untainted
> } else {
> die "Bad data in $data"; # log this somewhere
> }
> I tried this and it seemed to work in a test.cgi program but on the live one
> it keeps saying the data is bad even when the dat submitted contained only
> TEXT characters..
> I really don't understand the test line above but it says that it only
> allows text,@,-,.,0-9 characters only.
It's removing everything in the string $data that is not either a
- or a @ (\ escaped as @ means things in Perl) or a \w being a shorthand in Perl for
a word [a-zA-Z0-9_] any number of times. Well roughly.....
What exactly is being sent in the URL to the cgi script.
I just tried this:
#!/usr/bin/perl -w
my $data = <STDIN>;
if ($data =~ /^([-\@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die "Bad data in $data"; # log this somewhere
}
print "data: $data\n";
$ echo "textch" | test_cgi
data: textch
$ echo "text ch" | test_cgi
Bad data in text ch
$ echo "text&ch" | test_cgi
Bad data in text&ch
So try putting in exactly what you are sending in the URL. Does the URL contain
spaces or ampersands (&'s) ?
Mike
--
--------------------------------------------------------------------
Michael Lake
Active caver, Linux enthusiast and interested in anything technical.
Safety Convenor, Australian Speleological Federation
Owner, Speleonics (Australia)
--------------------------------------------------------------------
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
