Re: First Time Untainting Data


The stupid question is the question not asked
	PerlMonks

Re: First Time Untainting Data

by Abigail-II (Bishop)

on Oct 10, 2003 at 15:39 UTC ( [id://298286]=note: print w/replies, xml )

Need Help??

in reply to First Time Untainting Data

Two things: first, your untaint function isn't untainting the data. Removing parts from a tainted string doesn't make it untainted. Match (in parens) what you allow, and use that ($1) - that will be untainted. See the perlsec manual page.

But looking at the rest of the program, I don't think you are doing anything that isn't insecure.

Abigail

Comment on Re: First Time Untainting Data

Replies are listed 'Best First'.
Re: Re: First Time Untainting Data by svsingh (Priest) on Oct 10, 2003 at 17:05 UTC
Thanks for the tip. I rewrote the untaint subroutine as follows (borrowing from perlsec): `sub untaint { my $s = $_[0]; if ($s =~ /^([\w \-\@\,\.\/]+)$/) { $s = $1; # $data now untainted } else { die "Bad data in $s"; # log this somewhere } return $s; }` [download] When I get home, I'll look into writing a separate untaint subroutine for each field, but is this more correct than the original? Thanks again.	[reply] [d/l]
Re: First Time Untainting Data by Abigail-II (Bishop) on Oct 10, 2003 at 17:10 UTC
This is at least a syntactical valid way of untainting the data, but I do not know whether it's semantically correct. That depends on how the data is used. And do yourself (and all readers of your code), don't backwack everything. Only use a backslash when it's really needed. Like this: `if ($s =~ m{^([-\w \@(),./]+)$}) {` [download] Abigail	[reply] [d/l]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://298286]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others about the Monastery: (2)

As of 2024-04-26 04:21 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found