Re: Any security holes?

All right

my $whatever = encode_entities($whatever, '<>&"');
[download]

did the trick! Now, if I put html code into the input field it doesnt mess up anything. Thanx for steering me to the answer. (and fast too) Heartily appreciated. Hugs Are there still any blatant security risks? My script now:

#!C:\Perl64\site\bin\perl.exe
use warnings;
use HTML::Entities;
use CGI;

my $cgi = CGI->new(); # create new CGI object

{
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%(..)/pack("C", hex($1))/eg;
   $FORM{$name} = $value;
}

my $nick = $cgi->param('nick');
my $pic = $cgi->param('pic');
my $say = $cgi->param('say');
my $likes = $cgi->param('likes');
my $fav = $cgi->param('fav');
my $car = $cgi->param('car');
my $age = $cgi->param('age');
my $town = $cgi->param('town');
my $drink = $cgi->param('drink');
my $wpage = $cgi->param('wpage');

my $nick = encode_entities($nick, '<>&"');
my $pic = encode_entities($pic, '<>&"');
my $say = encode_entities($say, '<>&"');
my $likes = encode_entities($likes, '<>&"');
my $fav = encode_entities($fav, '<>&"');
my $age = encode_entities($age, '<>&"');
my $town = encode_entities($town, '<>&"');
my $drink = encode_entities($say, '<>&"');
my $say = encode_entities($drink, '<>&"');
my $wpage = encode_entities($wpage, '<>&"');

open(my $fh, '>>', 'drivers.html');
print "Content-type:text/html\r\n\r\n";
print $fh "<b>$nick</b><br><img src='$pic' width='250' height='auto' b
+order='2'><br><br>Says <b>$say</b><br>Likes <b>$likes</b><br>Favorite
+ vehicle <b>$fav</b><br> Real life car/vehicle <b>$car</b><br>Age <b>
+$age</b><br>Hometown <b>$town</b><br>Favorite drink <b>$drink</b><br>
+<b><a href='$wpage'>$wpage</a></b><HR color=#008000 SIZE=2>\n";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = dr
+ivers.html' /></head>";
close $fh;
[download]

Comment on Re: Any security holes? Select or Download Code

Replies are listed 'Best First'.
Re^2: Any security holes? by hippo (Bishop) on Jun 27, 2022 at 08:45 UTC
Still no taint mode. Still no strict. Still code which makes no sense at all (eg. `split(/=/, $pair);` when `$pair` is undefined) because you have not used strict. Still not enough cleaning of the input data. See also: How do I make sure users can't enter values into a form that causes my CGI script to do bad things? 🦛	[reply] [d/l] [select]
Re^3: Any security holes? by Limbomusic (Acolyte) on Jun 27, 2022 at 12:04 UTC
Thank you very much guys for the help - I removed the whole split/pair segment and it still works like a charm. I will read and tinker some more about making it safer.	[reply]
Re^2: Any security holes? by AnomalousMonk (Archbishop) on Jun 27, 2022 at 13:59 UTC
`my $nick = $cgi->param('nick'); ... my $wpage = $cgi->param('wpage'); my $nick = encode_entities($nick, '<>&"'); ... my $wpage = encode_entities($wpage, '<>&"');` [download] Not to address any security hole but just to simplify and DRY out the code a bit, you might try one of these untested approaches. `my ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wpage +) = map { encode_entities($cgi->param($_), '<>&"') } qw ( nick pic say likes fav car age town drink wpage +);` [download] Or else (and better IMHO): use constant CGI_PARAMS => qw( nick pic say likes fav car age town drink wpage ); my %param = map { $_ => encode_entities($_, '<>&"') } map { $cgi->param($_) } CGI_PARAMS ; ... print $fh <<"EOHTML"; <b>$param{'nick'}</b><br> <img src='$param{'pic'}' width='250' height='auto' border='2'><br> <br> Says <b>$param{'say'}</b><br> Likes <b>$param{'likes'}</b><br> Favorite vehicle <b>$param{'fav'}</b><br> Real life car/vehicle <b>$param{'car'}</b><br> Age <b>$param{'age'}</b><br> Hometown <b>$param{'town'}</b><br> Favorite drink <b>$param{'drink'}</b><br> <b><a href='$param{'wpage'}'>$param{'wpage'}</a></b> <HR color=#008000 SIZE=2> EOHTML [download] Give a man a fish: `<%-{-{-{-<`	[reply] [d/l] [select]
Re^3: Any security holes? by LanX (Saint) on Jun 27, 2022 at 14:21 UTC
> simplify and DRY out the code a bit, simpler and DRYer with loop-aliasing ... ;) `use strict; use warnings; use HTML::Entities; # init my ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wpage +)= ("<html>") x10; # escape for my $alias ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $dr +ink, $wpage) { encode_entities($alias); } # out print "$nick ... $wpage";` [download] `<html> ... <html>` edit or just `encode_entities($_) for $nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wp +age;` [download] Cheers Rolf _{(addicted to the Perl Programming Language :) Wikisyntax for the Monastery}	[reply] [d/l] [select]
Re^4: Any security holes? by Limbomusic (Acolyte) on Jun 27, 2022 at 20:42 UTC
Your last suggestion worked well - now my script is: #!C:\Perl64\site\bin\perl.exe use strict; use warnings; use HTML::Entities; use CGI; my $cgi = CGI->new(); my $nick = $cgi->param('nick'); my $pic = $cgi->param('pic'); my $say = $cgi->param('say'); my $likes = $cgi->param('likes'); my $fav = $cgi->param('fav'); my $car = $cgi->param('car'); my $age = $cgi->param('age'); my $town = $cgi->param('town'); my $drink = $cgi->param('drink'); my $wpage = $cgi->param('wpage'); encode_entities($_) for $nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wp +age; open(my $fh, '>>', 'drivers.html'); print "Content-type:text/html\r\n\r\n"; print $fh "<b>$nick</b><br><img src='$pic' width='250' height='auto' b +order='2'><br><br>Says <b>$say</b><br>Likes <b>$likes</b><br>Favorite + vehicle <b>$fav</b><br> Real life car/vehicle <b>$car</b><br>Age <b> +$age</b><br>Hometown <b>$town</b><br>Favorite drink <b>$drink</b><br> +<b><a href='$wpage'>$wpage</a></b><HR color=#008000 SIZE=2>\n"; print "<html><head><meta http-equiv = 'refresh' content = '0; url = dr +ivers.html' /></head>"; close $fh; [download] Looking way better now eh? Will read/learn more on links provided. Thanx everyone.	[reply] [d/l]
Re^2: Any security holes? by ikegami (Patriarch) on Jun 27, 2022 at 13:20 UTC
Still possible to inject code because of your incorrect escaping. It's still as vulnerable as ever.	[reply]
Re^3: Any security holes? by Limbomusic (Acolyte) on Jun 27, 2022 at 20:45 UTC
Could I ask for an example of correct escaping?	[reply]
Re^4: Any security holes? by ikegami (Patriarch) on Jun 27, 2022 at 21:54 UTC
`encode_entities($s)` would do	[reply] [d/l]
Re^5: Any security holes? by Limbomusic (Acolyte) on Jun 28, 2022 at 06:40 UTC
Re^6: Any security holes? by hippo (Bishop) on Jun 28, 2022 at 08:45 UTC
Some notes below your chosen depth have not been shown here


Syntactic Confectionery Delight
	PerlMonks

Re: Any security holes?

edit