Xxaxx has asked for the wisdom of the Perl Monks concerning the following question:
The significance of the above statement is that I haven't been hanging around on the webdeveloper's street corners -- at least until recently. Thanks to the world of spam I'm now receiving several unwanted email tutorials from web-experts -- lucky me :-(
Well, it has come to my attention that most of the webdeveloper's who are not using Matt's scripts are using a thing called "subparseform.lib" to parse input from webforms.
I took a look at this lib and was more than a bit annoyed at something this simplistic becoming the standard. I guess after Matt's similiar effect I shouldn't be surprise but...
In any case I decided to start contacting the so-called teachers training the new webdevelopers and giving them a slightly more secure form of their precious little 'subparseform.lib'. I figured getting them to convert to CGI was a bit too up hill a battle.
To that end I've added what I could to the existing 'subparseform.lib'. Before publishing this to the tutors as a better form of what they have I'm hoping to run it by the good monks here.
I know it's not CGI. But since I'm just trying to replace near total garbage with something that looks like the original garbage but might be a bit more secure this is the current tack.
Let me know if you see any glaring errors I've missed. Or better ways to handle this short of a total CGI conversion.
Thanks
Claude
sub Parse_Form { use vars ('%formdata'); my @pairs = (); if ($ENV{'REQUEST_METHOD'} eq 'GET') { @pairs = split(/&/, $ENV{'QUERY_STRING'}); } elsif ($ENV{'REQUEST_METHOD'} eq 'POST') { read (STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); @pairs = split(/&/, $buffer); #### Removed as security risk #### Use hidden vars in stead #### don't mix methods if ($ENV{'QUERY_STRING'}) { #### don't mix methods @getpairs =split(/&/, $ENV{'QUERY_ST +RING'}); #### don't mix methods push(@pairs,@getpairs); #### don't mix methods } } else { print "Content-type: text/html\n\n"; print "<P>Use Post or Get"; } foreach my $pair (@pairs) { my ($key, $value) = split (/=/, $pair); $key =~ tr/+/ /; $key =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; ###=== Begin Security addition ====================== ## REMOVE poison NULL $key =~ s/\0//g; $value =~ s/\0//g; ## Clean characters to remove weird stuff my $allowedCHARS = 'a-zA-Z0-9\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\ +;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~'; $key =~ s/[^$allowedCHARS]//gi; $value =~ s/[^$allowedCHARS]//gi; $key =~s/<!--(.|\n)*-->//g; ###=== End Security addition ======================== ###=== Begin Cosmetic/Functionality addition ======== ## REMOVE LEADING BLANKS $key =~ s/^\s*//; ## REMOVE TRAILING BLANKS $key =~ s/\s*$//; ###=== End Cosmetic/Functionality addition ========== $value =~s/<!--(.|\n)*-->//g; if ($formdata{$key}) { $formdata{$key} .= ", $value"; } else { $formdata{$key} = $value; } } } return 1;
|
---|
Replies are listed 'Best First'. | |
---|---|
(Ovid - cargo-cult CGI) Re: Re: subparseform.lib
by Ovid (Cardinal) on Apr 28, 2001 at 03:58 UTC | |
by Xxaxx (Monk) on Apr 28, 2001 at 08:38 UTC | |
by Ovid (Cardinal) on Apr 28, 2001 at 19:55 UTC | |
by AgentM (Curate) on Apr 28, 2001 at 08:47 UTC |