Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: CGI.pm Filter out recurring NULL Bytes

by graff (Chancellor)
on May 25, 2016 at 03:22 UTC ( #1164028=note: print w/replies, xml ) Need Help??


in reply to CGI.pm Filter out recurring NULL Bytes

I don't quite understand your question. Are you talking about null bytes that are being submitted in a GET or POST request to your CGI app? Is your app running into some particular problem involving null bytes?

I don't know for sure, but it wouldn't surprise me if there were some situations where actual null bytes are to be expected as part of the data going from client to app or from app to client; assuming such cases exist, it would seem to be a bad idea to filter them out, because they're probably part of some compressed or other binary stream, and such a stream would become unusable if certain bytes were filtered out.

Apart from such cases (if indeed there are any), I'd expect null bytes to be "encoded" in some way for transmission between server and client (e.g. as a three-character string "%00"), and again, I could imagine (but haven't seen) cases where this might be appropriate or necessary for some purpose, so again it's likely to be a mistake to filter them out.

Please explain what you're doing that involves null bytes in your CGI usage, and say more about the nature of the problem you're trying to solve.

  • Comment on Re: CGI.pm Filter out recurring NULL Bytes

Replies are listed 'Best First'.
Re^2: CGI.pm Filter out recurring NULL Bytes
by $h4X4_|=73}{ (Monk) on May 25, 2016 at 11:27 UTC

    I thought it would add some security to the program I'm making. As it is now I just filter param values as I use them with very strict patterns. Works good and there are no problems. That seems to be the "Best Practice" when dealing with param values.

    I plan to release the final version to the public and the more I think about adding any security filter globally to the param's. I realize it could actually trick a developer into thinking they don't need to check the param's for issues. So "no" on filtering null bytes is the answer I'm leaning to.

    That is not the only thing I wanted to talk about. I see in CGI there is a way to limit POST only, but no possible way to limit GET or the Cookies. Is there a reason why those are not needed?

      Is there a reason why those are not needed?

      They are headers, not body. The headers are already processed by the time your CGI script gets called so it's too late to do anything about them in terms of resource usage. Limits on headers are handled by the web server.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1164028]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (4)
As of 2021-03-01 09:58 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?