Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Re: Security with open() in CGI scripts

by smitz (Chaplain)
on Feb 26, 2002 at 12:16 UTC ( #147535=note: print w/replies, xml ) Need Help??

in reply to Security with open() in CGI scripts

Something weird you should look out for that I came across late one night:
# parse $user_input $database="$user_input.db"; open(FILE "<$database");
Ok, whats the problem? CGI passes user_input=rfp , and the script tries to open rfp.db. (Lets ignore the ../../ stuff for now). Then it got interesting when I passed 'user_input=rfp%00'. Perl made $database="rfp\0.db", and then tried to open $database. The results?
It opened "rfp" (or would have, had it existed). What happened to the ".db"? As you probably know, Perl allows NULL characters in its variables as data. Unlike in C, NULL is not a string delimiter. But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NULL.
Im sure the brainpower of monks-combined (TM) could think of some nasty applications of this feature.

Update: I had intended to credit the author, RainForestPuppy, phrack mag 55-7. Sorry for the slip-up.



Added update per user request - dvergin 2002-02-26

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://147535]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (5)
As of 2018-05-26 09:09 GMT
Find Nodes?
    Voting Booth?