untainting data

[David Gilden]

Hello,


Is the following all I need to untaint data?


#!/usr/bin/perl

use CGI qw/:standard/;

my $name = param('name');

$name =~ s/(\w+)/$1/;

What can I do limit string length to 40 characters? 

Thanks,

Dave 

(kora musician / audiophile / webmaster @ www.coraconnection.com  / Ft. Worth, 
TX, USA)

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Re: untainting data

[Gunnar Hjalmarsson]

David Gilden wrote:
Is the following all I need to untaint data?
#!/usr/bin/perl
use CGI qw/:standard/;
my $name = param('name');
$name =~ s/(\w+)/$1/;
That does not untaint anything.
What you need to do to learn about tainted mode is reading the 
applicable docs:

perldoc perlsec
What can I do limit string length to 40 characters?
Use a suitable function, or a regex, or something like that. What have 
you tried?

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Re: untainting data

[Sara]

If the 'name' is coming from a Form, try limiting it within the form tags,
it's always a better idea.



OR if you insist to do it within script; use 'substr' function.

my $name = param('name');

my $limited_name = substr($name, 0, 40);

Thanks,
Sara.




- Original Message -
From: "David Gilden" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 10, 2004 11:49 PM
Subject: untainting data


Hello,


Is the following all I need to untaint data?


#!/usr/bin/perl

use CGI qw/:standard/;

my $name = param('name');

$name =~ s/(\w+)/$1/;

What can I do limit string length to 40 characters?

Thanks,

Dave

(kora musician / audiophile / webmaster @ www.coraconnection.com  / Ft.
Worth, TX, USA)

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 




-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Re: untainting data

[B McKee]

On Wednesday, November 10, 2004, at 04:02  PM, Sara wrote:
If the 'name' is coming from a Form, try limiting it within the form 
tags,
it's always a better idea.
I thought (correct me if I'm wrong here - I'm no expert)
that you want to do this at both ends
because the bad guys can always create their own form
(or whatever) and shove bad data at the web server.
Brian
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Re: untainting data

[Gunnar Hjalmarsson]

Sara wrote:
If the 'name' is coming from a Form, try limiting it within the form
tags, it's always a better idea.

Better!? Nope. It may be a convenient *supplement*, so that people don't
need to unnecessarily type a string that the script immediately rejects,
but please note that people can submit to the script using e.g. their
own form, so if you want to *make sure* that longer strings are not
accepted, the maxlength attribute is not sufficient, and can *never*
replace a proper validation of the form data.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Re: untainting data

[Sara]

>>> bad guys can always create their own form

I can't say how others do it but almost my every script starts with:

if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
exit;
}

it helps eliminating of Bad Guys forms & shoving of data (no remote postings
allowed).

Sara.




- Original Message -
From: "B McKee" <[EMAIL PROTECTED]>
To: "Sara" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, November 11, 2004 2:13 AM
Subject: Re: untainting data


>
> On Wednesday, November 10, 2004, at 04:02  PM, Sara wrote:
>
> > If the 'name' is coming from a Form, try limiting it within the form
> > tags,
> > it's always a better idea.
>
> I thought (correct me if I'm wrong here - I'm no expert)
> that you want to do this at both ends
> because the bad guys can always create their own form
> (or whatever) and shove bad data at the web server.
>
> Brian
>



-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

RE: untainting data

[Bob Showalter]

Sara wrote:
> > > > bad guys can always create their own form
> 
> I can't say how others do it but almost my every script starts with:
> 
> if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
> exit;
> }
> 
> it helps eliminating of Bad Guys forms & shoving of data (no remote
> postings allowed).

You do know that the Referer header can be trivially spoofed?

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Re: untainting data

[Sara]

No I don't know, can you please explain.

How it can be spoofed, I am interested in details.


- Original Message - 
From: "Bob Showalter" <[EMAIL PROTECTED]>
To: "'Sara'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, November 11, 2004 3:17 AM
Subject: RE: untainting data


> Sara wrote:
> > > > > bad guys can always create their own form
> > 
> > I can't say how others do it but almost my every script starts with:
> > 
> > if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
> > exit;
> > }
> > 
> > it helps eliminating of Bad Guys forms & shoving of data (no remote
> > postings allowed).
> 
> You do know that the Referer header can be trivially spoofed?


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Re: untainting data

[Gunnar Hjalmarsson]

Sara wrote:
bad guys can always create their own form
I can't say how others do it but almost my every script starts with:
if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
exit;
}
it helps eliminating of Bad Guys forms & shoving of data
Really?
use HTTP::Request::Common 'POST';
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = POST 'http://yourdomain.com/cgi-bin/sara.cgi',
referer => 'yourdomain.com',
content => [ name => 'hello' x 20 ];
my $res = $ua->request($req);
print $res->content;
As you can see, it's very easy to fake the HTTP_REFERER.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]