Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Security techniques every programmer should know

by Jaap (Curate)
on Dec 27, 2004 at 09:47 UTC ( #417523=note: print w/replies, xml ) Need Help??

in reply to Security techniques every programmer should know

In stead of blacklisting with
$string =~ tr/\x00-\x09\x0b\x0c\x0e-\x1f//d;
one should whitelist, allowing certain characters and forbidding the rest:
if ($string =~ m/^([a-zA-Z0-9_])$/) { my $safeString = $1; ### also untainted now }
Ok you say that in the Taint part, but i would add it to the "Null btes are scary" part.

Replies are listed 'Best First'.
Re^2: Security techniques every programmer should know
by legato (Monk) on Dec 27, 2004 at 20:21 UTC

    Your code will call anything with whitespace an unsafe string. While that's much better than no checking, how about:

    $string =~ s/!([\w\s]+)//; ##add other allowed chars as needed
    That will sanitize all strings to contain only numbers, digits, the underscore and whitespace. A more complete regex (which would still not include unicode or international chars) would be:
    $string =~ s/!([\w\s\!\@\#\$\%\^\&\*\(\)\\\`\~\-\+\=\,\.]+)//;
    (Yes, there's more escaping there than strictly necessary.) Suddenly, that transliteration is looking a lot easier to maintain. If your allowed set is "everything but nulls and control chars", then you're better off explicitly excluding the known control-char set.

    Denying all, then allowing is a good general rule of thumb. But, in this case, the "dangerous" items are a fixed set while the "safe" items are much more variable -- so it makes sense to simply remove that which is dangerous.

    Update=> Aristotle reminded me that, as \s includes \n, these regexes will not strip newlines; that means strings sanitized with these will be unsafe if executed with a shell (e.g. system("$string");). This further shows that inclusion-matching isn't as good, in this case, as merely stripping "bad" data out.

    Anima Legato
    .oO all things connect through the motion of the mind

      \w matches different things depending on your locale. If you have a German locale, for instance, it will match .

      The danger of using perl's shortcut character classes, as was pointed out to me by DrHyde.

      "Cogito cogito ergo cogito sum - I think that I think, therefore I think that I am." Ambrose Bierce

      Are you sure you want to use \s? That includes \n, you know.

      Makeshifts last the longest.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://417523]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (5)
As of 2021-01-16 19:05 GMT
Find Nodes?
    Voting Booth?