[328] in WWW Security List Archive
Re: GE Break-in: via HTTPD?
daemon@ATHENA.MIT.EDU (Paul Phillips)
Tue Jan 17 03:12:49 1995
Date: Mon, 16 Jan 1995 19:45:44 -0800 (PST)
From: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
To: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.BSD.3.91.950116133040.26880j-100000@get.wired.com>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 16 Jan 1995, Brian Behlendorf wrote:
> If you have to do this, you can protect yourself by running the
> user-supplied email address through a regular expression which
> double-checks its validity.
Be *very* careful here. Some have discovered, the hard way, that in
Perl5 code can be executed within regular expressions. I haven't delved
deeply enough into Perl5 to know the details, but if someone can guess
what you're doing with their input, it's possible they can trick the
regexp into playing their game.
I'm fairly sure Perl4 is safe in this regard. I'd like to from some more
gurish than myself on this, though.
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
