Security bug in CGI::Lite::escape_dangerous


Do you know where your variables are?
	PerlMonks

Security bug in CGI::Lite::escape_dangerous_chars()

by thraxil (Prior)

on Feb 11, 2003 at 19:16 UTC ( [id://234497]=perlnews: print w/replies, xml )

Need Help??

this item just showed up on bugtraq. the jist is that CGI::Lite's escape_dangerous_chars() misses a few dangerous characters. i haven't confirmed the vulnerability myself, but if you're using CGI::Lite, you may want to take a closer look.

hasn't every perl programmer read phrack?

anders pearson

Comment on Security bug in CGI::Lite::escape_dangerous_chars()

Replies are listed 'Best First'.

Re: Security bug in CGI::Lite::escape_dangerous_chars()
by Ovid (Cardinal) on Feb 11, 2003 at 22:26 UTC

Not having used CGI::Lite before, I never noticed that function, but I have to admit that I'm a bit puzzled. It seems to me that an experienced programmer should have noticed something named escape_dangerous_characters() before this. Trying to eliminate the dangerous is far more difficult than simply allowing the safe.

Allow for too few "safe" characters, you restrict your functionality; allow for too few "dangerous" characters and you restrict your paychecks.

Cheers,
Ovid

New address of my CGI Course.
Silence is Evil (feel free to copy and distribute widely - note copyright text)

[reply]

Back to Perl News

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: perlnews [id://234497]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others wandering the Monastery: (6)

As of 2024-04-26 08:57 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found