Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Untainting input to CGI::Application

by ghettofinger (Monk)
on May 18, 2005 at 18:46 UTC ( #458388=perlquestion: print w/ replies, xml ) Need Help??
ghettofinger has asked for the wisdom of the Perl Monks concerning the following question:

Hello everyone,

I have put together quite a few pages using CGI and HTML::Template and I really like it. It works. When I took the little perl knowledge that I had and comined it with Ovid's CGI Course I felt that I had a simple and secure application. I am trying to expand my sites and add more functionality so I have decided to start using CGI::Application. This is a realy cool module and fun to use. I have an issue though. I am not sure how I can untaint input from users. Take the following for example:

sub login{ my $self = shift; my ($nick, $pass) = @_; my $session = $self->param('session'); if(defined $nick and defined $pass){ if($nick eq $pass){ #REPLACE THIS WITH A REAL CHECK!!!! #DO STUFF }else{ #DO OTHER THINGS } }

I have been using CGI::Untaint when I was using just CGI, but now that I am modularizing the site, I am not sure how to go about this. Should I be looking to "$self" and asking for $nick and $pass and then untaint them? Is there a better way to do this now the I am using CGI::Application?

My thanks to all,
ghettofinger

Comment on Untainting input to CGI::Application
Download Code
Re: Untainting input to CGI::Application
by edan (Curate) on May 18, 2005 at 18:56 UTC
Re: Untainting input to CGI::Application
by dragonchild (Archbishop) on May 18, 2005 at 18:58 UTC
    CGI::Application is meant to be subclassed. This means that you're supposed to write a class that uses it as a starting point. When I write C::A apps, I actually have 2-3 levels of baseclasses. The first one is my global baseclass. It's my version of what C::A should do. This includes providing a print() method that dispatches between HTML::Template, Excel::Template, and PDF::Template. I see no reason why you shouldn't go ahead and provide a param()-type method in your global baseclass that will untaint the parameters as you need them. You could even link it with CGI::Untaint as so:
    sub cgiapp_prerun { my $self = shift; $self->param( handler => CGI::Untaint->new( $self->query->Vars ) ) +; return $self->SUPER::prerun( @_ ); } sub extract { my $self = shift; my ($method, $name) = @_; my $handler = $self->param( 'taint_handler' ); return $handler->extract( $method => $name ); }
    Now, your calls to $self->extract() are wrappers around CGI::Untaint's extract(). Done.

    • In general, if you think something isn't in Perl, try it out, because it usually is. :-)
    • "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"
Re: Untainting input to CGI::Application
by Joost (Canon) on May 18, 2005 at 18:59 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://458388]
Approved by bmann
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (14)
As of 2015-07-02 10:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (33 votes), past polls