Untainting input to CGI::Application

ghettofinger has asked for the wisdom of the Perl Monks concerning the following question:

Hello everyone,

I have put together quite a few pages using CGI and HTML::Template and I really like it. It works. When I took the little perl knowledge that I had and comined it with Ovid's CGI Course I felt that I had a simple and secure application. I am trying to expand my sites and add more functionality so I have decided to start using CGI::Application. This is a realy cool module and fun to use. I have an issue though. I am not sure how I can untaint input from users. Take the following for example:

sub login{
    my $self = shift;
    my ($nick, $pass) = @_;
    my $session = $self->param('session');
    if(defined $nick and defined $pass){
        if($nick eq $pass){
            #REPLACE THIS WITH A REAL CHECK!!!!
            #DO STUFF
          }else{
            #DO OTHER THINGS
          }
     }
[download]

I have been using CGI::Untaint when I was using just CGI, but now that I am modularizing the site, I am not sure how to go about this. Should I be looking to "$self" and asking for $nick and $pass and then untaint them? Is there a better way to do this now the I am using CGI::Application?

My thanks to all,
ghettofinger

Comment on Untainting input to CGI::Application Download Code

Replies are listed 'Best First'.
Re: Untainting input to CGI::Application by dragonchild (Archbishop) on May 18, 2005 at 18:58 UTC
CGI::Application is meant to be subclassed. This means that you're supposed to write a class that uses it as a starting point. When I write C::A apps, I actually have 2-3 levels of baseclasses. The first one is my global baseclass. It's my version of what C::A should do. This includes providing a print() method that dispatches between HTML::Template, Excel::Template, and PDF::Template. I see no reason why you shouldn't go ahead and provide a param()-type method in your global baseclass that will untaint the parameters as you need them. You could even link it with CGI::Untaint as so: `sub cgiapp_prerun { my $self = shift; $self->param( handler => CGI::Untaint->new( $self->query->Vars ) ) +; return $self->SUPER::prerun( @_ ); } sub extract { my $self = shift; my ($method, $name) = @_; my $handler = $self->param( 'taint_handler' ); return $handler->extract( $method => $name ); }` [download] Now, your calls to $self->extract() are wrappers around CGI::Untaint's extract(). Done. In general, if you think something isn't in Perl, try it out, because it usually is. :-) "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"	[reply] [d/l]
Re: Untainting input to CGI::Application by edan (Curate) on May 18, 2005 at 18:56 UTC
You could look at CGI::Application::Plugin::ValidateRM as a convenient way to implement Data::FormValidator validations for your run-modes. It's all nicely integrated with CGI::Application. -- edan	[reply]
Re: Untainting input to CGI::Application by Joost (Canon) on May 18, 2005 at 18:59 UTC
CGI::Application's query() method should return a CGI object, so you can use CGI::Untaint just the same way as you used to with plain CGI. Just my $0.02, I've never used CGI::Untaint. "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply]


Pathologically Eclectic Rubbish Lister
	PerlMonks