Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: Security techniques every programmer should know

by Jaap (Curate)
on Dec 27, 2004 at 09:47 UTC ( #417523=note: print w/ replies, xml ) Need Help??


in reply to Security techniques every programmer should know

In stead of blacklisting with

$string =~ tr/\x00-\x09\x0b\x0c\x0e-\x1f//d;
one should whitelist, allowing certain characters and forbidding the rest:
if ($string =~ m/^([a-zA-Z0-9_])$/) { my $safeString = $1; ### also untainted now }
Edit:
Ok you say that in the Taint part, but i would add it to the "Null btes are scary" part.


Comment on Re: Security techniques every programmer should know
Select or Download Code
Re^2: Security techniques every programmer should know
by legato (Monk) on Dec 27, 2004 at 20:21 UTC

    Your code will call anything with whitespace an unsafe string. While that's much better than no checking, how about:

    $string =~ s/!([\w\s]+)//; ##add other allowed chars as needed
    That will sanitize all strings to contain only numbers, digits, the underscore and whitespace. A more complete regex (which would still not include unicode or international chars) would be:
    $string =~ s/!([\w\s\!\@\#\$\%\^\&\*\(\)\\\`\~\-\+\=\,\.]+)//;
    (Yes, there's more escaping there than strictly necessary.) Suddenly, that transliteration is looking a lot easier to maintain. If your allowed set is "everything but nulls and control chars", then you're better off explicitly excluding the known control-char set.

    Denying all, then allowing is a good general rule of thumb. But, in this case, the "dangerous" items are a fixed set while the "safe" items are much more variable -- so it makes sense to simply remove that which is dangerous.

    Update=> Aristotle reminded me that, as \s includes \n, these regexes will not strip newlines; that means strings sanitized with these will be unsafe if executed with a shell (e.g. system("$string");). This further shows that inclusion-matching isn't as good, in this case, as merely stripping "bad" data out.

    Anima Legato
    .oO all things connect through the motion of the mind

      \w matches different things depending on your locale. If you have a German locale, for instance, it will match .

      The danger of using perl's shortcut character classes, as was pointed out to me by DrHyde.

      "Cogito cogito ergo cogito sum - I think that I think, therefore I think that I am." Ambrose Bierce

      Are you sure you want to use \s? That includes \n, you know.

      Makeshifts last the longest.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://417523]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (10)
As of 2014-07-30 03:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (229 votes), past polls