Re[2]: param function

Sat, 16 Mar 2002 13:54:59 -0800 

Saturday, March 16, 2002, 9:58:15 AM, Gary Hawkins wrote:

> Web form element names automatically become script variable names and are
> assigned their values...

> use CGI 'param';

> for $name (param()) {
>         $$name = param($name);
> }

> The double $$ is not a typo.  Your question resulting in this solution has
> reduced the script I'm working on, by about 2000 bytes, or about 3%.  Thank
> you.


That's quite scary...

You've just allowed input from a web form to stomp all over
all your variables. You're very trusting.

Here's a really simple example of something that could break
your code:

  #!/usr/bin/perl -w

  use CGI 'param';

  for $name (param()) {
    $$name = param($name);
  }

  print CGI::header();
  print "hello\n";
  print "foo\n";
  print "bar\n";

what could possibly go wrong with that?

try running it under a webserver and requesting the url:

http://server.com/cgi-bin/script.pl?\=The%20CEO%20sucks

imagine if you were reading from files, perhaps we could
redefine $/ for you, perhaps $/ = "a"... so if you used code
like:

  foreach my $line (<FILE>) {
    my $result = &do_something($line);
  }

suddenly a "line" is whatever is between two 'a' characters,
rather than between \n's... lovely...

and that's just a couple of really simple things... how
about code like this in a credit card refund script:

  use LWP::Simple;
  my $credit_card_server = "secure.mybank.com";
  my $username = "my_secret_username";
  my $password = "my_password";
  for $name (param()) {
    $$name = param($name);
  }

  my $result = get("https://$credit_card_server/refund.pl?";.
                   "username=$username&password=$password&".
                   ...some more details about what to refund...
                  );

a sneaky user could easily redefine "$credit_card_server",
and you'd happily post your username and password to
whichever server they wanted. The user's now free to refund
any purchase they ever make from your store. peachy.


>From the CGI docs:

  $query->import_names('R');

  This creates a series of variables in the 'R' namespace.
  For example, $R::foo, @R:foo. For keyword lists, a
  variable @R::keywords will appear. If no namespace is
  given, this method will assume 'Q'. WARNING: don't import
  anything into 'main'; this is a major security risk!!!!



-- 
Best Regards,
Daniel                   [EMAIL PROTECTED]


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to