Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)

Cute! ++ of course. I find it fascinating how you can use ingenuity to spoof these types of filters. Here is one that provides more utility and of course patches your hack.

sub ilya_proof_path {
  my ( $path ) = @_ ;
  return '' unless $path;
  my ($type, $domain, $q_string );
  ( $path, $q_string ) = split '\?', $path;
  $q_string =~ tr/\0//d if $q_string;
  1 while $path =~ s/%([0-9a-fA-F]{2})/chr hex $1/ge;
  $path =~ s!\\+!/!g;
  $path =~ s![^\w \Q-:./#\E]!!g;
  $path =~ s!\.\.*/!!g;
  $path =~ s/^\s+//g;
  $path =~ s/ +/ /g;
  $type = $1 if  $path =~ s!^(\w+):/+!!;
  $domain = $1 if $type and $type =~ m/(?:https?|ftps?)/ and $path =~ 
+s!^([\w\.-]+)/!!;
  # tolerate win32 drive letters as a pseudo domain
  $domain = $1 if $type and $type =~ m/file/ and $path =~ s!^([A-Z]:)/
+!!;
  return  $path, $type, $domain, $q_string ;
}
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) Download Code

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by IlyaM (Parson) on Feb 28, 2003 at 12:37 UTC
This one is indead IlyaM proof :) I stared on it for 5 mins and I could not find how it can be abused ++. Anyway I'm not sure I like this approach because it is very easy to do mistakes. I would not use regexps on whole string but I'd split path on components first and then I'd use regexps on them. I.e. something like: use URI; my $uri = URI->new($path); die "bad schema" unless is_safe_schema($uri->schema); die "bad domain" unless is_safe_domain($uri->host); die "bad path" unless is_safe_path($uri->path); sub is_safe_schema { # left as excersize to reader } sub is_safe_domain { # left as excersize to reader } sub is_safe_path { my $path = shift; my @comps = split '/', $path; for my $comp (@comps) { return 0 unless is_safe_path_comp } return 1; } sub is_safe_path_comp { my $comp = shift; return 0 if $comp =~ /\0\\/; return 0 if $comp eq '..'; # other unsafe patterns .... return 1; } [download] -- Ilya Martynov, ilya@iponweb.net CTO IPonWEB (UK) Ltd Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net Personal website - http://martynov.org	[reply] [d/l]
Re: How Internet is a mess. (Playing with HTTPD) by Abigail-II (Bishop) on Feb 28, 2003 at 12:52 UTC
That would consider `http://www.example.com/path/some/where?query/../here` [download] to be unsafe. You might first want to split on a question mark, and then inspect just the first part. Abigail	[reply] [d/l]
Re: Re: How Internet is a mess. (Playing with HTTPD) by IlyaM (Parson) on Feb 28, 2003 at 12:57 UTC
It is handled by URI module: `use URI; my $uri = URI->new('http://www.example.com/path/some/where?query/../he +re'); print "Path: ", $uri->path, "\n"; print "Query: ", $uri->query, "\n"; __END__ Prints: Path: /path/some/where Query: query/../here` [download] -- Ilya Martynov, ilya@iponweb.net CTO IPonWEB (UK) Ltd Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net Personal website - http://martynov.org	[reply] [d/l]
Re: Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 28, 2003 at 12:48 UTC
While I can see the merit in this approach there is a lot of redundancy with the potential for holes . It does of course offer more granularity but I'm not sure you really need this and the attendant overhead. The main issues are the null byte hack, shell metachars, multiencoding %hh so you don't actually properly check the string and the old ../.. chestnut. We are reasonably protected from buffer overflows but you can easily truncate the length if desired. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]


P is for Practical
	PerlMonks