Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Restricting Web Directory Access

by mt2k (Hermit)
on Mar 01, 2002 at 15:16 UTC ( [id://148582]=note: print w/replies, xml ) Need Help??


in reply to Restricting Web Directory Access

Okay thanks people. It seems I have a lot of work to do still! =8-)
I like mattr's idea of restricting a..z (along with numbers and SINGLE periods.)
Here is a good regex (or so I think/hope):

if ($input{'file'} !~ /[^a-z0-9\.]/ && $input{'file'} !~ /\.\./) {
#CODE TO WORK IT ALL OUT
}

[download]

And just to answer a couple of questions asked of me:

  • Yep, CGI reads in all my environment variables/form data
  • Username is taken from a set cookie that verifies using username/encrypted password every visit to a member-only page.
  • There are file uploads AND textarea editting. Limit already set to a smallish number
  • And I forgot to mention: all CGI, etc. is disabled in the users' directories (so no perl scripts run, etc). Access to these user directories is purely open to all users (in these directories, I set Options +Indexes in case there is no index.htm(l))
  • I understand that it would probably (okay, WOULD) be better to do this using FTP, but I don't have the privilege of doing this :)

Any other comments???

Replies are listed 'Best First'.
Re: Re: Restricting Web Directory Access
by thraxil (Prior) on Mar 01, 2002 at 22:05 UTC

    i wouldn't even do that. there's really no excuse for not using Taint mode if your script is opening files based on untrusted user input.

    with taint mode you would do something like:

    my $filename = "";
if($input{'file'} =~ /^(\w+\.?\w{2,4})$/) {
  $filename = $1;
} else {
   die "somebody is trying to do bad things";
}
# do stuff with $filename

    [download]

    the idea is to only allow as much as you absolutely need to. doing anything else essentially comes down to you trying to predict how someone will attack the script and specifically blocking those attacks. not good since it means you have to know every possible attack they might try. if you miss one thing, you're screwed. taint mode encourages you to only allow as limited a set of inputs as possible.

    to be even more safe, you should probably use sysopen instead of open. if you're doing an "edit" of an existing file rather than creating a new one, you might also want to load the list of files that are in the directory into a hash and check that $input{'file'} actually matches one of them.

    but the most important thing is to use taint mode. i would suggest that before you go live with this program (however you've implemented it), you read and understand every line of the perlsec manpage. it would also be illustrative to read about the poison NULL byte for an idea of how subtle the attacks can get and why it's not good to base your security on trying to anticipate them all.

    anders pearson

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://148582]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (5)
As of 2024-04-19 22:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found