Sigh. Once again, forgot to sent this to the group :(
Maybe I should drop "Senior" from my job title?
--- Curtis Poe <[EMAIL PROTECTED]> wrote:
> Date: Wed, 6 Jun 2001 15:41:51 -0700 (PDT)
> From: Curtis Poe <[EMAIL PROTECTED]>
> Reply-to: [EMAIL PROTECTED]
> Subject: Re: cgi-lib.pl
> To: Cheryl Kirkpatrick <[EMAIL PROTECTED]>
>
> --- Cheryl Kirkpatrick <[EMAIL PROTECTED]> wrote:
> > Should I use "cgi-lib.pl" ? Why or why not?
>
> Another reason not to use cgi-lib.pl is that it separates multiple values for a
>particular form
> element with an ASCII zero (a null byte or \0). This creates a problem that you can
>read about
> at
> http://www.perlmonks.org/index.pl?node_id=38548
>
> Summary of the above link: Perl is written in C and C, unlike Perl, recognizes the
>ASCII zero
> as
> a string delimiter. Sometimes, Perl will pass data to a C lib and that lib will see
>an ASCII
> zero
> and behave differently from what you are expecting. This can open up a variety of
>security
> problems, as detailed in http://www.insecure.org/news/P55-07.txt (warning, that's a
>fairly
> difficult article to wade through).
>
> Since cgi-lib.pl deliberately uses ASCII zero to separate multiple values, it's
>relatively easy
> to
> accidentally incorporate that into your data.
>
> Cheers,
> Curtis Poe
>
> =====
> Senior Programmer
> Onsite! Technology (http://www.onsitetech.com/)
> "Ovid" on http://www.perlmonks.org/
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
