Is there a good tutorial on untainting data received via a cgi script?
On Tue, 26 Feb 2002, Curtis Poe wrote:
> --- erotomek <[EMAIL PROTECTED]> wrote:
> > ALWAYS USE THE TAINT MODE !!!
> >
> > Use the -T switch:
> >
> > #!/usr/bin/perl -wT
> >
> > and untaint the $file variable:
> >
> > die 'INSECURE $file !!!' if $file =~ /\.\./;
> > if ($file =~ /^([-\w./]+)$/) { $file = $1 }
> > else { die 'INSECURE $file !!!' }
> >
> > and now you can use it.
>
> You supplied some great information, however, your example of plugging the security
>hole has a
> security hole itself. From the command line on any *nix system, enter the following
>(assuming you
> are not in root):
>
> cd \.\.
>
> You quickly discover that the shell allows those dots to be escaped. In a url, that
>translates to
> something like:
>
> %5c.%5c.%2F%5c.%5c.%2Fetc%2Fpasswd
>
> (That's "\.\./\.\./etc/passwd")
>
> Many variations of that can be tried to find out if their is a security hole. If
>you must allow
> the user to specify a file name, get rid of any ASCII zeroes in the file name (to
>prevent NUL byte
> hacks -- I explain that at
> http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html under the
>title "Poison
> Null byte"). Then, you can use File::Path to get the real filename. Even then,
>though, I'm leery
> of allowing the user data near the shell, but sometimes it is necessary.
>
> Cheers,
> Curtis "Ovid" Poe
>
> =====
> "Ovid" on http://www.perlmonks.org/
> Someone asked me how to count to 10 in Perl:
> push@A,$_ for reverse q.e...q.n.;for(@A){$_=unpack(q|c|,$_);@a=split//;
> shift@a;shift@a if $a[$[]eq$[;$_=join q||,@a};print $_,$/for reverse @A
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
>
--
Rob
Good judgement comes from experience, and experience -
well, that comes from poor judgement.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
