Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: Any security holes?

by haukex (Archbishop)
on Jun 26, 2022 at 15:23 UTC ( [id://11145085]=note: print w/replies, xml ) Need Help??


in reply to Any security holes?

I was wondering if there are any security concerns in my .pl file?

Yes - as LanX already alluded to, this is susceptible to a Cross Site Scripting (XSS) attack. One way to help mitigate this is to escape any strings you're inserting into the HTML, for example with HTML::Entities. Other comments:

  • Always Use strict and warnings!
  • The whole @pairs code seems unneccessary, it looks like you've copied some really old Perl form parsing code from somewhere, but this is not needed because you're already using CGI.pm which does this for you.
  • You're not checking open for errors - "open" Best Practices
  • You're not locking your drivers.html file while you are editing it, which could cause problems when multiple requests are submitted at the same time (though I don't know how flock behaves on Windows).

But really, you shouldn't be using this really old-school CGI.pm style code anymore. You probably want to look into UP-TO-DATE Comparison of CGI Alternatives, in particular I'm a fan of Mojolicious, its templating engine would be very useful here because it can escape HTML special characters automatically when inserting variables into HTML. I have a bunch of Mojo examples on my scratchpad Update: and I've now posted a full example here.

Replies are listed 'Best First'.
Re^2: Any security holes?
by LanX (Saint) on Jun 26, 2022 at 17:05 UTC
    (Just for the records, I know you know this already! =)

    > to help mitigate this is to escape any strings ... HTML::Entities.

    Yes escaping mitigates injections, and is a good first workaround.

    But I always prefer to strictly reject any unexpected character.

    For instance, why should an input "age" include anything else than digits, why "name" more than word characters plus maybe . - and ' ?

    Additionally: In my applications I apply the exact same regex filter rules via JS input validators on the client side too.²

    Like this I can not only reject broken input on the server side, but also raise an alarm about an intentional manipulation. °

    All this of course plus escaping or use of placeholders on all interpreted levels (HTML,JS,Perl,SQL,...).

    Security is best provided by multiple lines of defense.

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery

    °) thats part of OWASP too.

    ²) thankfully, JS copied Perl4 Regex rules almost completely

      why "name" more than word characters plus maybe . - and ' ?

      See the excellent Falsehoods Programmers Believe About Names. I recognise and applaud your general sentiment but you need to be very careful about rejecting potentially valid data too.

      If in doubt, refer to the spec. If there is no spec, insist on one.


      🦛

        Ha! I only look like a biter. I didn’t see your reply, reading down in order, until I had posted mine.

        I was too lazy to come up with another field like maybe "ZIP-code" ... mea culpa.

        The intranet app I wrote back then was one for password resetting for the 10k+ users of our services inside our company.

        The "name" I'm referring to, was actually our normalized, standardized and unique employee-id inside our company.

        It actually only allowed /[a-z]/i (IIRC) and no space and is modelled roughly after "given-name"."family-name"

        But some of my colleagues allowed users to choose other usernames in our applications, but that's another story.

        I never wrote an app requesting users to register with their "real name".

        Anyway you two are right and I was wrong.

        > If in doubt, refer to the spec.

        I did. :)

        FWIW: I recently managed to skip a letter in my own family name on a flight ticket I booked online and panicked.

        Was no problem at all, turned out that airlines are allowed to accept up to 3 deviations.

        I think this is related to the article you and your mother° cited.

        Cheers Rolf
        (addicted to the Perl Programming Language :)
        Wikisyntax for the Monastery

        °) ;-P

        edit

        PS: Names_of_Sun_Yat-sen

        That article somehow reminded me of this video: https://www.youtube.com/watch?v=1LopIroSjsU

        And while I agree there is no need to be overly restrictive when it comes to names, some people deserve a good kick in the butt and a little ridicule ... and being forced to come up with a sane version of their name.

        Jenda
        1984 was supposed to be a warning,
        not a manual!

      why "name" more than word characters plus maybe . - and ' ?

      I hope the space between '.' and '-' is significant: it is thankfully rarer these days, but I've lost count of the number of times I was rejected by a web form because "van der Sanden" did not match their concept of a valid surname. In the majority of cases, those websites lost the chance at my custom.

      Finding the right balance between strict and permissive can be hard. My preference is to look for unmistakable signals of intentional manipulation - and then ideally blackhole the IP address without further ado - but to accept anything below that high threshold, and concentrate on doing the right thing with it thereafter.

        Granted, I knew "name" was a bad example.

        Space goes without saying, and I might be ignoring more legal letters.

        A good mechanism should always include a backfeed channel for critic and adjustment.

        Though I remember having a fight with one of my colleagues who insisted that one of his clients can continue to use emojis in his user name and me having to hardcode an exception into the app ... I never "adjusted" this.

        Cheers Rolf
        (addicted to the Perl Programming Language :)
        Wikisyntax for the Monastery

Re^2: Any security holes?
by Limbomusic (Acolyte) on Jun 26, 2022 at 21:42 UTC
    Wow - yes I deleted the whole @pairs codebit and it still worked. I,m a total nitwit with coding so thanx - I,m just playing around and trying things out. The html-injection/cross scripting thing seems dangerous indeed, so okay - I learned its possible to "escape characters" - I would like to do that - do you have a suggestion (example code) for that?
        I don't know how or where to implement it in my .pl file, could u help? It seems that this would do the trick:  $encoded = encode_entities($input, '<>&"'); It seems this would negate all these characters and thats exactly what i want - but how?
      I'm just playing around and trying things out.

      I hope you are aware that running CGI programs in the internet is not a good idea for trying things out. The internet as a whole is not a particularly friendly place. When a new server starts to respond on Port 80, it takes just some minutes before robots will start poking it for security holes. If you point your friends to use your new playground, you're putting them at risk because their browser might run malicious code.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11145085]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (7)
As of 2024-03-28 08:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found