Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

RE: CGI Security and the null byte problem

by extremely (Priest)
on Oct 26, 2000 at 10:39 UTC ( #38560=note: print w/ replies, xml ) Need Help??


in reply to CGI Security and the null byte problem

You left out a simple example or two on how to specify what you will allow. So, Allow me =)

my $file = $cgi->param( 'file' ); my $data; # # One way # $file =~ s#[^A-Z0-9a-z.]+##g; #strip down to alphanum and period # can change the meaning of what people post. $file =~ m#(.*)#; #evil evil evil if you haven't striped. $data = $1 || ""; #not really necessary to have alternate, nice tho. # # Alternate way # $file =~ m#([A-Z0-9a-z.]+)#; #grab first good chunk. # can potentially ignore a lot of data and boggle the user $data = $1 | ""; #you really want this now, match can fail. # # My "best" way # die "Eeeek! Evil data sent to the 'file' parameter!\n" if ($file =~ m#[^A-Z0-9a-z.]#); #now use the first method above to detaint anyway...

--
$you = new YOU;
honk() if $you->love(perl)


Comment on RE: CGI Security and the null byte problem
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://38560]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (8)
As of 2014-12-26 02:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (164 votes), past polls