[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Omaha.pm] Sanitizing user input to use in a regexp search.

To: "Perl Mongers of Omaha, Nebraska USA" <omaha-pm@pm.org>
Subject: Re: [Omaha.pm] Sanitizing user input to use in a regexp search.
From: Jay Hannah <jay@jays.net>
Date: Fri, 22 Jan 2010 18:58:02 -0600
Delivered-to: mailman-omaha-pm@mailman.pm.dev
Delivered-to: omaha-pm@pm.org
In-reply-to: <c185b40e1001221523n604231fev2538a80e8dceafd3@mail.gmail.com>
List-archive: <http://mail.pm.org/pipermail/omaha-pm>
List-help: <mailto:omaha-pm-request@pm.org?subject=help>
List-id: "Perl Mongers of Omaha, Nebraska USA" <omaha-pm.pm.org>
List-post: <mailto:omaha-pm@pm.org>
List-subscribe: <http://mail.pm.org/mailman/listinfo/omaha-pm>, <mailto:omaha-pm-request@pm.org?subject=subscribe>
List-unsubscribe: <http://mail.pm.org/mailman/options/omaha-pm>, <mailto:omaha-pm-request@pm.org?subject=unsubscribe>
References: <3e2be51001221455i5727be1eu277bf9cf6a7137e5@mail.gmail.com> <c185b40e1001221523n604231fev2538a80e8dceafd3@mail.gmail.com>
Reply-to: "Perl Mongers of Omaha, Nebraska USA" <omaha-pm@pm.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0

On 1/22/2010 5:23 PM, Sterling Hanenkamp wrote:

On Fri, Jan 22, 2010 at 4:55 PM, Dan Linder <dan@linder.orgwrote:
        $mycgi = CGI->new();
        $search_string = $mycgi->param('SEARCHSTRING);
        if ($data =~ /$search_string/io) {
            # Do something if we match...
        }

    My understanding is that it is/might be possible to get bad data
    pushed into the $search_string and cause the /regexp/ call execute it
    or perform something not intended.  But if I

    Or am I/we being overly cautious?  I've tried stuffing a number of bad
    things into the field and they don't seem to have any bad effect.

You are definitely not being overcautious. Try searching for:

(?{open FH,"/etc/passwd";local $/;print <FH>})

I'd recommend running anything through quotemeta() before using it in
your regexp.


I like the quotemeta() suggestion. I wonder if that's foolproof.

I can't get the exploit to run. I keep getting this:

Eval-group not allowed at runtime, use re 'eval' in regex m/(?{openFH,"/etc/passwd";local $/;print <FH>})/ at j.pl line 6.


I guess that makes me a bad cracker.  :)

Does taint mode help here? It's one of those things I should probablyuse/learn, but never have:


   http://perldoc.perl.org/perlsec.html#Taint-mode

If people are only supposed to be able to search for alphanumerics, youcould filter their input.


   $search_string = $mycgi->param('SEARCHSTRING);
   $search_string =~ s/\W//g;

or be more specific/lenient...

   $search_string =~ s/[^a-z0-9 ]//g;

or similar. Perhaps \Q \E makes you safe?  (perldoc perlre)

   if ($data =~ /\Q$search_string\E/io) {
        # Do something if we match...
   }

$search_string is still interpolated, but any regex fanciness is disabled.

HTH,

j

References:
- [Omaha.pm] Sanitizing user input to use in a regexp search.
  - From: Dan Linder <dan@linder.org>
- Re: [Omaha.pm] Sanitizing user input to use in a regexp search.
  - From: Sterling Hanenkamp <sterling@hanenkamp.com>

Prev by Date: Re: [Omaha.pm] Sanitizing user input to use in a regexp search.
Next by Date: Re: [Omaha.pm] [olug] Command Line App Helper
Previous by thread: Re: [Omaha.pm] Sanitizing user input to use in a regexp search.
Next by thread: Re: [Omaha.pm] Local Open source projects?
Index(es):
- Date
- Thread