Loading ...
Sorry, an error occurred while loading the content.

Re: [PBML] GPL Perl Blog

Expand Messages
  • Jeff Pinyan
    ... Untainting isn t a matter of removing the bad, it s a matter of extracting the good. my $file = $cgi- param( newid ); # $file is tainted because it comes
    Message 1 of 4 , Mar 1, 2008
    • 0 Attachment
      On Sat, Mar 1, 2008 at 10:41 AM, David Francos <yo.orco@...> wrote:
      > I'm Sorry, yes that was what I tough but I didn't get what I was looking
      > for on google, next time I'll remember perlsec.
      > The code in question is tainted: $file=$cgi->param('newid'); --> not
      > exactly, its $newpath/$newid and newid is filtered to remove "../" from
      > it, and I've tought on just remove everything but numbers, or give an
      > error if something else than a number is given (newid is always a
      > number)

      Untainting isn't a matter of removing the bad, it's a matter of extracting
      the good.

      my $file = $cgi->param('newid'); # $file is tainted because it comes from
      a HTTP query

      To untaint $file, you must do more than remove what you don't want:

      # remove all characters that aren't lowercase letters...
      $file =~ s/[^a-z]+//g; # $file is STILL tainted!

      Instead, you must extract what is ok:

      # if there are one or more lowercase letters, use them as $file's value
      if ($file =~ /([a-z]+)/) {
      $file = $1;
      else {
      # complain somehow
      die "Invalid value for '$file': must contain lowercase letters";

      In your case, you would want to do this:

      my ($file) = $cgi->param('newid') =~ /(\d+)/;

      If $file is *undef* after that, then *newid* had a bad value in it.

      [Mary said,] "Do whatever he tells you." ~ John 2:5
      The Cross Reference - http://thecrossreference.blogspot.com/
      Nos autem praedicamus Christum crucifixum (1 Cor 1:23)

      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.