Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)

by IlyaM (Parson)
on Feb 28, 2003 at 12:37 UTC ( #239417=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
in thread How Internet is a mess. (Playing with HTTPD)

This one is indead IlyaM proof :) I stared on it for 5 mins and I could not find how it can be abused ++. Anyway I'm not sure I like this approach because it is very easy to do mistakes. I would not use regexps on whole string but I'd split path on components first and then I'd use regexps on them. I.e. something like:

use URI; my $uri = URI->new($path); die "bad schema" unless is_safe_schema($uri->schema); die "bad domain" unless is_safe_domain($uri->host); die "bad path" unless is_safe_path($uri->path); sub is_safe_schema { # left as excersize to reader } sub is_safe_domain { # left as excersize to reader } sub is_safe_path { my $path = shift; my @comps = split '/', $path; for my $comp (@comps) { return 0 unless is_safe_path_comp } return 1; } sub is_safe_path_comp { my $comp = shift; return 0 if $comp =~ /\0\\/; return 0 if $comp eq '..'; # other unsafe patterns .... return 1; }

--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org


Comment on Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
Download Code
Re: Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
by tachyon (Chancellor) on Feb 28, 2003 at 12:48 UTC

    While I can see the merit in this approach there is a lot of redundancy with the potential for holes . It does of course offer more granularity but I'm not sure you really need this and the attendant overhead. The main issues are the null byte hack, shell metachars, multiencoding %hh so you don't actually properly check the string and the old ../.. chestnut. We are reasonably protected from buffer overflows but you can easily truncate the length if desired.

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Re: How Internet is a mess. (Playing with HTTPD)
by Abigail-II (Bishop) on Feb 28, 2003 at 12:52 UTC
    That would consider
    http://www.example.com/path/some/where?query/../here

    to be unsafe. You might first want to split on a question mark, and then inspect just the first part.

    Abigail

      It is handled by URI module:
      use URI; my $uri = URI->new('http://www.example.com/path/some/where?query/../he +re'); print "Path: ", $uri->path, "\n"; print "Query: ", $uri->query, "\n"; __END__ Prints: Path: /path/some/where Query: query/../here

      --
      Ilya Martynov, ilya@iponweb.net
      CTO IPonWEB (UK) Ltd
      Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
      Personal website - http://martynov.org

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://239417]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (8)
As of 2014-09-17 10:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (72 votes), past polls