Beefy Boxes and Bandwidth Generously Provided by pair Networks Joe
Do you know where your variables are?
 
PerlMonks  

Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)

by IlyaM (Parson)
on Feb 28, 2003 at 12:37 UTC ( #239417=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
in thread How Internet is a mess. (Playing with HTTPD)

This one is indead IlyaM proof :) I stared on it for 5 mins and I could not find how it can be abused ++. Anyway I'm not sure I like this approach because it is very easy to do mistakes. I would not use regexps on whole string but I'd split path on components first and then I'd use regexps on them. I.e. something like: 

use URI;
my $uri = URI->new($path);
die "bad schema" unless is_safe_schema($uri->schema);
die "bad domain" unless is_safe_domain($uri->host);
die "bad path" unless is_safe_path($uri->path);

sub is_safe_schema {
    # left as excersize to reader
}

sub is_safe_domain {
    # left as excersize to reader
}

sub is_safe_path {
    my $path = shift;
    my @comps = split '/', $path;
    for my $comp (@comps) {
        return 0 unless is_safe_path_comp
    }
    return 1;
}

sub is_safe_path_comp {
    my $comp = shift;
    return 0 if $comp =~ /\0\\/;
    return 0 if $comp eq '..';
    # other unsafe patterns
    ....
    return 1;
}


[download]

--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org


Comment on Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
Download Code
Re: Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
by tachyon (Chancellor) on Feb 28, 2003 at 12:48 UTC

    While I can see the merit in this approach there is a lot of redundancy with the potential for holes . It does of course offer more granularity but I'm not sure you really need this and the attendant overhead. The main issues are the null byte hack, shell metachars, multiencoding %hh so you don't actually properly check the string and the old ../.. chestnut. We are reasonably protected from buffer overflows but you can easily truncate the length if desired.

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
Re: How Internet is a mess. (Playing with HTTPD)
by Abigail-II (Bishop) on Feb 28, 2003 at 12:52 UTC
    That would consider 
        http://www.example.com/path/some/where?query/../here

    [download]

    to be unsafe. You might first want to split on a question mark, and then inspect just the first part.

    Abigail

[reply]
[d/l]
      It is handled by URI module: 
      use URI;
my $uri = URI->new('http://www.example.com/path/some/where?query/../he
+re');
print "Path: ", $uri->path, "\n";
print "Query: ", $uri->query, "\n";
__END__
Prints:
Path: /path/some/where
Query: query/../here

      [download]

      --
      Ilya Martynov, ilya@iponweb.net
      CTO IPonWEB (UK) Ltd
      Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
      Personal website - http://martynov.org

[reply]
[d/l]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://239417]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (8)
As of 2013-05-22 02:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best material for plates (tableware) is:









    Results (453 votes), past polls