I'm basically self-taught in the world of Perl through the help of some excellent books (thanks for the recommendations) and through reading q&a on sites such as this and the newsgroups.
The significance of the above statement is that I haven't been hanging around on the webdeveloper's street corners -- at least until recently. Thanks to the world of spam I'm now receiving several unwanted email tutorials from web-experts -- lucky me :-(
Well, it has come to my attention that most of the webdeveloper's who are not using Matt's scripts are using a thing called "subparseform.lib" to parse input from webforms.
I took a look at this lib and was more than a bit annoyed at something this simplistic becoming the standard. I guess after Matt's similiar effect I shouldn't be surprise but...
In any case I decided to start contacting the so-called teachers training the new webdevelopers and giving them a slightly more secure form of their precious little 'subparseform.lib'. I figured getting them to convert to CGI was a bit too up hill a battle.
To that end I've added what I could to the existing 'subparseform.lib'. Before publishing this to the tutors as a better form of what they have I'm hoping to run it by the good monks here.
I know it's not CGI. But since I'm just trying to replace near total garbage with something that looks like the original garbage but might be a bit more secure this is the current tack.
Let me know if you see any glaring errors I've missed. Or better ways to handle this short of a total CGI conversion.
Thanks
Claude
sub Parse_Form {
use vars ('%formdata');
my @pairs = ();
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
@pairs = split(/&/, $ENV{'QUERY_STRING'});
} elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
read (STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
#### Removed as security risk
#### Use hidden vars in stead
#### don't mix methods if ($ENV{'QUERY_STRING'}) {
#### don't mix methods @getpairs =split(/&/, $ENV{'QUERY_ST
+RING'});
#### don't mix methods push(@pairs,@getpairs);
#### don't mix methods }
} else {
print "Content-type: text/html\n\n";
print "<P>Use Post or Get";
}
foreach my $pair (@pairs) {
my ($key, $value) = split (/=/, $pair);
$key =~ tr/+/ /;
$key =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
###=== Begin Security addition ======================
## REMOVE poison NULL
$key =~ s/\0//g;
$value =~ s/\0//g;
## Clean characters to remove weird stuff
my $allowedCHARS = 'a-zA-Z0-9\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\
+;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~';
$key =~ s/[^$allowedCHARS]//gi;
$value =~ s/[^$allowedCHARS]//gi;
$key =~s/<!--(.|\n)*-->//g;
###=== End Security addition ========================
###=== Begin Cosmetic/Functionality addition ========
## REMOVE LEADING BLANKS
$key =~ s/^\s*//;
## REMOVE TRAILING BLANKS
$key =~ s/\s*$//;
###=== End Cosmetic/Functionality addition ==========
$value =~s/<!--(.|\n)*-->//g;
if ($formdata{$key}) {
$formdata{$key} .= ", $value";
} else {
$formdata{$key} = $value;
}
}
}
return 1;
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.