|
in reply to Any security holes?
All right my $whatever = encode_entities($whatever, '<>&"');
did the trick! Now, if I put html code into the input field it doesnt mess up anything. Thanx for steering me to the answer. (and fast too) Heartily appreciated. Hugs
Are there still any blatant security risks?
My script now:
#!C:\Perl64\site\bin\perl.exe
use warnings;
use HTML::Entities;
use CGI;
my $cgi = CGI->new(); # create new CGI object
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%(..)/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
my $nick = $cgi->param('nick');
my $pic = $cgi->param('pic');
my $say = $cgi->param('say');
my $likes = $cgi->param('likes');
my $fav = $cgi->param('fav');
my $car = $cgi->param('car');
my $age = $cgi->param('age');
my $town = $cgi->param('town');
my $drink = $cgi->param('drink');
my $wpage = $cgi->param('wpage');
my $nick = encode_entities($nick, '<>&"');
my $pic = encode_entities($pic, '<>&"');
my $say = encode_entities($say, '<>&"');
my $likes = encode_entities($likes, '<>&"');
my $fav = encode_entities($fav, '<>&"');
my $age = encode_entities($age, '<>&"');
my $town = encode_entities($town, '<>&"');
my $drink = encode_entities($say, '<>&"');
my $say = encode_entities($drink, '<>&"');
my $wpage = encode_entities($wpage, '<>&"');
open(my $fh, '>>', 'drivers.html');
print "Content-type:text/html\r\n\r\n";
print $fh "<b>$nick</b><br><img src='$pic' width='250' height='auto' b
+order='2'><br><br>Says <b>$say</b><br>Likes <b>$likes</b><br>Favorite
+ vehicle <b>$fav</b><br> Real life car/vehicle <b>$car</b><br>Age <b>
+$age</b><br>Hometown <b>$town</b><br>Favorite drink <b>$drink</b><br>
+<b><a href='$wpage'>$wpage</a></b><HR color=#008000 SIZE=2>\n";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = dr
+ivers.html' /></head>";
close $fh;
|
Re^2: Any security holes?
by hippo (Archbishop) on Jun 27, 2022 at 08:45 UTC
|
| [reply]
[d/l]
[select] |
|
|
Thank you very much guys for the help - I removed the whole split/pair segment and it still works like a charm. I will read and tinker some more about making it safer.
| [reply] |
Re^2: Any security holes?
by AnomalousMonk (Archbishop) on Jun 27, 2022 at 13:59 UTC
|
my $nick = $cgi->param('nick');
...
my $wpage = $cgi->param('wpage');
my $nick = encode_entities($nick, '<>&"');
...
my $wpage = encode_entities($wpage, '<>&"');
Not to address any security hole but just to simplify and DRY out the code a bit, you might try one of these untested approaches.
my ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wpage
+)
= map { encode_entities($cgi->param($_), '<>&"') }
qw ( nick pic say likes fav car age town drink wpage
+);
Or else (and better IMHO):
use constant CGI_PARAMS => qw(
nick pic say likes fav car age town drink wpage
);
my %param =
map { $_ => encode_entities($_, '<>&"') }
map { $cgi->param($_) }
CGI_PARAMS
;
...
print $fh <<"EOHTML";
<b>$param{'nick'}</b><br>
<img src='$param{'pic'}' width='250' height='auto' border='2'><br>
<br>
Says <b>$param{'say'}</b><br>
Likes <b>$param{'likes'}</b><br>
Favorite vehicle <b>$param{'fav'}</b><br>
Real life car/vehicle <b>$param{'car'}</b><br>
Age <b>$param{'age'}</b><br>
Hometown <b>$param{'town'}</b><br>
Favorite drink <b>$param{'drink'}</b><br>
<b><a href='$param{'wpage'}'>$param{'wpage'}</a></b>
<HR color=#008000 SIZE=2>
EOHTML
Give a man a fish: <%-{-{-{-<
| [reply]
[d/l]
[select] |
|
|
use strict;
use warnings;
use HTML::Entities;
# init
my ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wpage
+)=
("<html>") x10;
# escape
for my $alias ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $dr
+ink, $wpage) {
encode_entities($alias);
}
# out
print "$nick ... $wpage";
<html> ... <html>
edit
or just
encode_entities($_)
for $nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wp
+age;
| [reply]
[d/l]
[select] |
|
|
Your last suggestion worked well - now my script is:
#!C:\Perl64\site\bin\perl.exe
use strict;
use warnings;
use HTML::Entities;
use CGI;
my $cgi = CGI->new();
my $nick = $cgi->param('nick');
my $pic = $cgi->param('pic');
my $say = $cgi->param('say');
my $likes = $cgi->param('likes');
my $fav = $cgi->param('fav');
my $car = $cgi->param('car');
my $age = $cgi->param('age');
my $town = $cgi->param('town');
my $drink = $cgi->param('drink');
my $wpage = $cgi->param('wpage');
encode_entities($_)
for $nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wp
+age;
open(my $fh, '>>', 'drivers.html');
print "Content-type:text/html\r\n\r\n";
print $fh "<b>$nick</b><br><img src='$pic' width='250' height='auto' b
+order='2'><br><br>Says <b>$say</b><br>Likes <b>$likes</b><br>Favorite
+ vehicle <b>$fav</b><br> Real life car/vehicle <b>$car</b><br>Age <b>
+$age</b><br>Hometown <b>$town</b><br>Favorite drink <b>$drink</b><br>
+<b><a href='$wpage'>$wpage</a></b><HR color=#008000 SIZE=2>\n";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = dr
+ivers.html' /></head>";
close $fh;
Looking way better now eh?
Will read/learn more on links provided. Thanx everyone. | [reply]
[d/l] |
Re^2: Any security holes?
by ikegami (Patriarch) on Jun 27, 2022 at 13:20 UTC
|
| [reply] |
|
|
Could I ask for an example of correct escaping?
| [reply] |
|
|
| [reply]
[d/l] |
|
|
|
|
|
|
|
