[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Omaha.pm] Thoughts?

To: <omaha-pm@pm.org>
Subject: Re: [Omaha.pm] Thoughts?
From: "Jay Hannah" <jhannah@omnihotels.com>
Date: Thu, 28 Jul 2005 14:18:12 -0500
Delivered-to: mailman-omaha-pm@mailman.pm.dev
Delivered-to: omaha-pm@pm.org
In-reply-to: <29AB736ABCE5C745ABF9C93B02F2C27B02B987AF@exchange2k3.omnihotels.net>
List-archive: <http://mail.pm.org/pipermail/omaha-pm>
List-help: <mailto:omaha-pm-request@pm.org?subject=help>
List-id: "Perl Mongers of Omaha, Nebraska USA" <omaha-pm.pm.org>
List-post: <mailto:omaha-pm@pm.org>
List-subscribe: <http://mail.pm.org/mailman/listinfo/omaha-pm>, <mailto:omaha-pm-request@pm.org?subject=subscribe>
List-unsubscribe: <http://mail.pm.org/mailman/listinfo/omaha-pm>, <mailto:omaha-pm-request@pm.org?subject=unsubscribe>
Reply-to: "Perl Mongers of Omaha, Nebraska USA" <omaha-pm@pm.org>
Thread-index: AcWS/EKbtVUALJkwQt6ZY1pVfEHfZQArBiBQ

I like idea #2, activated when you *know* you're not going to do anything exploitable.

But I don't like the switch RawCGI=>1. 

I'd vote for the RARE use of:

   my $page = new View::Web::Page(Globals=>$Globals,Safe=>0);

In the constructor default Safe to 1 (on/true).

   $Safe = 1 unless (defined $Safe);
   if ($Safe) {
      foreach my $param ($q->param()) {
        # Strip out all wacky characters to prevent SQL injections
   ...etc...

$0.02,

j



> So, I ran into an issue using View::Web::Page and file 
> uploads. Jay helped point me to a function of the class that 
> "cleans" all the q->params() to stop sql attacks. 
> Unfortunately, it also strips all the backslashes out of my 
> filepath that IE pukes into the form-data (mozilla 
> conveniently removes all but the filename in formposts) 
> making it difficult to parse the filename.
> 
>  
> 
> I figure there's 2 ways to address this without reducing the 
> attack consideration:
> 
>  
> 
> 1. Specifically ignore 'special' params :
>     foreach my $param ($q->param()) {
> 
>       # Strip out all wacky characters to prevent SQL injections
>       #
>       If ($param ne 'fileupload') {
>         my $value = $q->param($param);
>         $value =~ s/[`;'"\\]//g;
>         $q->delete($param);
>         $q->param($param,$value);
>         if ($param =~ /^(view|edit|update|delete|insert)__/) {
>           my @arr = split /__/, $param;
>           $pagemode = shift @arr;
>           $pagename = shift @arr;
>           $pageid   = join('__', @arr);
>           last;
>         }
>       }
>     }
> 
>  
> 
> 2. instantiating it like this
> 
> my $page    = new View::Web::Page(Globals=>$Globals,RawCGI=>1);
> 
> and adding an if around this block of code 
> 
>   if (!$RawCGI) {
>     foreach my $param ($q->param()) {
>       # Strip out all wacky characters to prevent SQL injections
>       #
>       my $value = $q->param($param);
>       $value =~ s/[`;'"\\]//g;
>       $q->delete($param);
>       $q->param($param,$value);
>       if ($param =~ /^(view|edit|update|delete|insert)__/) {
>         my @arr = split /__/, $param;
>         $pagemode = shift @arr;
>         $pagename = shift @arr;
>         $pageid   = join('__', @arr);
>         last;
>       }
>     }
>   }
>  
> 
> Thoughts?

Prev by Date: Re: [Omaha.pm] Dumb Questions
Next by Date: [Omaha.pm] SQL Attack exception
Previous by thread: Re: [Omaha.pm] Dumb Questions
Next by thread: [Omaha.pm] SQL Attack exception
Index(es):
- Date
- Thread