Re: Quotes In CGI

in reply to Quotes In CGI

How are you parsing/storing your CGI data? I had the same problem you're describing before I started frequenting Perlmonks. I used the $cgi->parm('var') methods but I used eval to create variables and assign their corresponding values:

The following code is BAD! don't use it!

sub doGetCGIvars {
    my $VarName;
    my $query = new CGI;
    foreach $VarName ($query->param) {
       $assign = "\$$VarName = '" . $query->param($VarName) . "'";
       &UnTaint($assign);
       eval($assign);
    }
}
[download]

Why is this bad? Because any param that has a single quote in it will screw things up. Likewise, if I had used the following:

$assign = "\$$VarName = \"" . $query->param($VarName) . '"';
[download]

params containing a doublequote would screw things up. Instead, use one of the saner methods recommended by Ovid in his reply to Best way to parse CGI params and check out his CGI Course for more pointers and other reasons why you shouldn't use methods like the ones above to parse/store cgi data.

--Jim

Comment on Re: Quotes In CGI Select or Download Code

Replies are listed 'Best First'.
Re: Re: Quotes In CGI by Anonymous Monk on Oct 07, 2002 at 22:35 UTC
I'm sure that you realize that single-quotes aren't the only reason the above code is very, very bad. If, for example, someone were to figure out what you're doing, they could call your script like this: script.cgi?x=1;system('rm%20-rf%20/etc/');print%20'gotcha! This would eval (I think -- it's not tested), and do some potentially nasty things. I'm not devious enough to come up with something really nasty to do in a system call, but you get the idea... jpt	[reply]
Re: Re: Re: Quotes In CGI by jlongino (Parson) on Oct 08, 2002 at 03:37 UTC
You are correct, although your example would not work as you intended, something along the lines of the following would: `script.cgi?x=' . system "any valid OS command here" . '` [download] the eval of which would look like this: `$x = '' . system "any valid OS command here" . '';` [download] In this particular case, the UnTaint would not find any "naughty" symbols we associate with usual system cracking attempts. My focus, however was to address the cause of the poster's immediate problem. The references to the other links and the warning I think were sufficient. In his CGI Course, Ovid addresses these and other security issues. --Jim	[reply] [d/l] [select]

In Section Seekers of Perl Wisdom