Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
Would a regular expression around the query string solve the problem?
Basically, what a regex does to untaint a variable is to ensure that only valid characters are in the variable. The variable in question, in this example, is $siteinfo[1]. Unfortunately, it's very, very difficult to find an appropriate regex that can perfectly secure user-supplied data that is passed to the shell. What I would probably do in this case is creates a hash that has the user data as the key and the hash value as the actual file to be opened. I say "probably" because if you have hundreds of files that the user could open, you would want to take a different solution. 
my %files = ( colors => 'colors.dat',
              tests  => 'test.txt',
              names  => 'names.dat',
              bribes => 'politicians.txt' );

open IN, "<$filepath/$files{$siteinfo[1]}" or
    someErrorRoutine( "Can't open $filepath/$siteinfo[1] for reading: 
+$!" );

[download]
In the above example, the user data is used to pull a value from a hash. Since you have created those hash values, you know they are safe. If the hash value doesn't exist, then someErrorRoutine() is called. Depending upon how your site is set up, you might want someErrorRoutine to log the details of the failure. The key point to remember here is that user data never gets close to the shell (and that you should always check to see if your open statement failed).

Also, taint checking should still be used here. The following regex is interesting to me: 

 
$siteinfo[1] =~ /^[^.]+/(\w+\.\w+)$/ or
    someErrorRoutine( "Regex failed" );
my $fileToOpen = $1; # $fileToOpen untainted

[download]
In this case, we are making sure that there are NO periods prior to the final slash and only one period in the actual filename. Note that the error subroutine is called on failure. If it's not and that fails, $1 might contain an undesireable value that gets assigned to $fileToOpen.

The Moral: When untainting data, make sure you check for failure of your regex to match.

For a little more information about exploits like this, read this article (thanks to tilly for that link).

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

In reply to RE: RE: Warning our Fellow Monks by Ovid
in thread Warning our Fellow Monks by Ovid

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (6)
As of 2024-04-19 08:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found