[5555] in bugtraq
Re: CERT Advisory CA-97.25 - CGI_metachar
daemon@ATHENA.MIT.EDU (Andrew McNaughton)
Tue Nov 11 16:08:03 1997
Date: Tue, 11 Nov 1997 17:42:29 +1300
Reply-To: Andrew McNaughton <andrew@SQUIZ.CO.NZ>
From: Andrew McNaughton <andrew@SQUIZ.CO.NZ>
X-To: cert-advisory-request@cert.org
To: BUGTRAQ@NETSPACE.ORG
>Building on this philosophy, the Perl program we presented above could be
>thus sanitized to contain ONLY those characters allowed. For example:
>
> #!/usr/cert/bin/perl
> $_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
> print "$user_data\n";
> $OK_CHARS='a-zA-Z0-9_\-\.@'; # A restrictive list, which
> # should be modified to match
> # an appropriate RFC, for example.
> eval "tr/[$OK_CHARS]/_/c";
> $user_data = $_;
> print "$user_data\n";
> exit(0);
>
OK, lets test that. Add a few lines like so...
#!/usr/cert/bin/perl
for (0..255) {
$ENV{'QUERY_STRING'} .=chr($_);
}
$_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
#print "$user_data\n";
$OK_CHARS='a-zA-Z0-9_\-\.@'; # A restrictive list, which
# should be modified to match
# an appropriate RFC, for example.
eval "tr/[$OK_CHARS]/_/c";
s/_//g;
$user_data = $_;
print "$user_data\n";
exit(0);
prints:
-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]abcdefghijklmnopqrstuvwxyz
Those square brackets look unintended and possibly useful
Andrew McNaughton
The effort to understand the universe is Andrew McNaughton
one of the very few things that lifts Andrew@squiz.co.nz
human life above the level of farce,
and gives it some of the grace http://www.squiz.co.nz
of tragedy - Steven Weinberg http://www.newsroom.co.nz
