Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

taint mode perplexities

by jesuashok (Curate)
on Mar 27, 2006 at 07:02 UTC ( #539378=perlquestion: print w/ replies, xml ) Need Help??
jesuashok has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,

I have been reading up on web security and I am getting paranoid. I operate under taint mode - although I must confess to being a little in the dark as to what that means. I am using the following code in order to filter input from a form.

$TEST =~ s/[^a-zA-Z0-9@\/.,: ]//g;

It works as expected but I am trying to make it as secure as possible and found that if a user enters '<SCRIPT>' into a form field it treats it as a Java Code and it is not filtered. I assume that I could follow this with some other code and do some harm. I need to avoid this security hole and obviously I could check for the word '<SCRIPT>' in STDIN. Is there a better way of doing this and what other holes should I be aware of?

"Keep pouring your ideas"

2006-03-27 Retitled by planetscape, as per Monastery guidelines
Original title: 'audio program'

2006-10-07 Unapproved by planetscape once evidence of habitual plagiarism uncovered.

Comment on taint mode perplexities
Download Code
Re: taint mode perplexities
by zer (Deacon) on Mar 27, 2006 at 07:31 UTC
    if you are taking input as a CGI environment and you are woried about re-displaying code that has been input into your forms. It is true that there are some backends with scripts. However they are not being run on the server, so that will be secure. However the users viewing the script may be vulnerable. It isnt a bad idea to block out all script tags for their sake.
Re: taint mode perplexities
by liverpole (Monsignor) on Oct 06, 2006 at 11:59 UTC
    At this site, the following was written on March 25, 2006:
    I have been reading up on web security and I am getting paranoid. I operate under taint mode - although I must confess to being a little in the dark as to what that means. I am using the following code in order to filter input from a form. CODE $TEST =~ s/[^a-zA-Z0-9@\/.,: ]//g; It works as expected but I am trying to make it as secure as possible +and found that if a user enters '<SCRIPT>' into a form field it treats it +as a Java Code and it is not filtered. I assume that I could follow this wi +th some other code and do some harm. I need to avoid this security hole and ob +viously I could check for the word '<SCRIPT>' in STDIN. Is there a better way of doing this and what other holes should I be a +ware of? Keith

    s''(q.S:$/9=(T1';s;(..)(..);$..=substr+crypt($1,$2),2,3;eg;print$..$/

      In a really odd twist, I note that the orriginal title of this node as "audio program" ... while "audiopro" is the nick used by "Kieth" on tek-tips.com

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://539378]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2014-08-29 06:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (275 votes), past polls