Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

cgi security regex in subroutine

by jonnyfolk (Vicar)
on May 21, 2003 at 15:56 UTC ( [id://259767]=perlquestion: print w/replies, xml ) Need Help??

jonnyfolk has asked for the wisdom of the Perl Monks concerning the following question:

I'm using a regex to check for illegal input in a CGI script. since there are rather a lot of variables I thought I'd write a subroutine to help me out. This is what I have written: 
#!/usr/bin/perl -w
#use strict;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use CGI ':standard';

my $one = "apple";
my $two =  "pear";
my $three = "ba\$\£na\¨na";

my @vars;
my $ILLEGAL_CHARS = qr/[^\w\.-\s\@\(\)\Ó,]/;


@vars = ($one,$two,$three);

($one,$two,$three) = legal(@vars);

print header(), start_html(-title => "fruits");

print "$one,$two,$three";

print end_html();


sub legal {

foreach $item (@vars) {
$item =~ s/$ILLEGAL_CHARS/_/g;
}

return @vars;

}

[download]
My questions are:

When I use strict I get syntax errors for every single part of the regex - how can I use strict?
I have included as allowed things like ',' and '( )' to make life more agreeable for the user. Is there still enough there to prevent tampering? Can I improve the regex?
Is the subroutine set okay or can I improve on that. General comments welcome.

With thanks.

Replies are listed 'Best First'.
Re: cgi security regex in subroutine
by Ovid (Cardinal) on May 21, 2003 at 16:09 UTC

    I recommend that you read Lesson 3 in my CGI course. It gives a brief description of taint checking, security issues and it has many links you can follow.

    As a general rule specify what you will allow, not what you won't allow. All it takes is for you to miss one thing that you shouldn't have missed and your life could be miserable. Without knowing what you're going to do with your list, I can't be too specific for you, but you might want to check out the Untaint module. For now, though, you can look at this to see the general strategy:

    sub untaint {
    my ($string,$regex) = @_;
    croak "Bad regex '$regex'" unless ref $regex eq 'Regexp';
    my ($untainted) = $string =~ /($regex)/;
}

print untaint( 33, qr/^\d+$/ );

    [download]

    Cheers,
    Ovid

    New address of my CGI Course.
    Silence is Evil (feel free to copy and distribute widely - note copyright text)

[reply]
[d/l]
Re: cgi security regex in subroutine
by andreychek (Parson) on May 21, 2003 at 16:46 UTC
    Hey there,

    In addition to Ovid's excellent advice, I'd also like to recomment checking out the Data::FormValidator module on CPAN. It provides a number of simple methods to validate the parameters sent to you from the browser. Are the fields required or optional? Do you just want to see if anything at all was entered into them, or do you want fine grained control over what was entered? It lets you choose all of that. Here is an example of how you might use it:
         ### Note: untested code

     # Require food_name and food_group
     # color is optional, but validate it if they pass it in
     my $fields_profile = {
        required => [ "food_name", "food_group" ],
        optional => [ "color" ],
        constraints => {
            food_name  => \&validate_word,
            food_group => \&validate_word,
            color      => \&validate_word,
        },
        # Untaint a field if and only if it passes a constraint
        untaint_all_constraints => 1,
    }; 

    # You can simply pass in your CGI object along with your fields pr
+ofile
    my $results = Data::FormValidator->check($q, $fields_profile);

    # If data is missing or invalid, just print it out
    if ($results->has_missing or $results->has_invalid) {
        print "Missing: ", join ", ", $results->missing;
        print "Invalid: ", join ", ", $results->invalid;
    }
    else {
        print "Excellent food submission!";
    }

    # Called by Data::FormValidator when it needs to validate our para
+meters
    sub validate_word {
        my $val = shift;
        return $val =~ /^[\w ]+$/
    }

    [download]
    Hopefully, that gives you a decent example of how it might work. Be sure to read the docs, they give lots of examples. Good luck!
    -Eric

    --
    Lucy: "What happens if you practice the piano for 20 years and then end up not being rich and famous?"
    Schroeder: "The joy is in the playing."
[reply]
[d/l]
Re: cgi security regex in subroutine
by cees (Curate) on May 21, 2003 at 16:40 UTC

    Listen to Ovid and read his tutorial, but also have a look on CPAN for modules that have solved this problem for you. Data::FormValidator comes to mind, but there are several others as well. If it is a common enough problem, then chances are someone else has come across it and solved it for you.

    Cheers

[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://259767]
Approved by Paladin
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (3)
As of 2024-04-16 15:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found