Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: Quotes In CGI

by jlongino (Parson)
on Oct 07, 2002 at 21:10 UTC ( [id://203497]=note: print w/replies, xml ) Need Help??


in reply to Quotes In CGI

How are you parsing/storing your CGI data? I had the same problem you're describing before I started frequenting Perlmonks. I used the $cgi->parm('var') methods but I used eval to create variables and assign their corresponding values:

The following code is BAD! don't use it!

sub doGetCGIvars {
    my $VarName;
    my $query = new CGI;
    foreach $VarName ($query->param) {
       $assign = "\$$VarName = '" . $query->param($VarName) . "'";
       &UnTaint($assign);
       eval($assign);
    }
}

[download]
Why is this bad? Because any param that has a single quote in it will screw things up. Likewise, if I had used the following: 
$assign = "\$$VarName = \"" . $query->param($VarName) . '"';

[download]
params containing a doublequote would screw things up. Instead, use one of the saner methods recommended by Ovid in his reply to Best way to parse CGI params and check out his CGI Course for more pointers and other reasons why you shouldn't use methods like the ones above to parse/store cgi data.

--Jim

Replies are listed 'Best First'.
Re: Re: Quotes In CGI
by Anonymous Monk on Oct 07, 2002 at 22:35 UTC
    I'm sure that you realize that single-quotes aren't the only reason the above code is very, very bad. If, for example, someone were to figure out what you're doing, they could call your script like this:
    
script.cgi?x=1;system('rm%20-rf%20/etc/');print%20'gotcha!
    This would eval (I think -- it's not tested), and do some potentially nasty things. I'm not devious enough to come up with something really nasty to do in a system call, but you get the idea... jpt
[reply]
      You are correct, although your example would not work as you intended, something along the lines of the following would: 
      script.cgi?x=' . system "any valid OS command here" . '

      [download]
      the eval of which would look like this: 
      $x = '' . system "any valid OS command here" . '';

      [download]
      In this particular case, the UnTaint would not find any "naughty" symbols we associate with usual system cracking attempts. My focus, however was to address the cause of the poster's immediate problem. The references to the other links and the warning I think were sufficient. In his CGI Course, Ovid addresses these and other security issues.

      --Jim

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://203497]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (3)
As of 2024-04-19 01:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found