LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (http://www.linuxquestions.org/questions/programming-9/)
-   -   Perl CGI form security (http://www.linuxquestions.org/questions/programming-9/perl-cgi-form-security-721755/)

Nick0.jd 04-26-2009 05:38 AM

Perl CGI form security
 
Howdy all,

Just playing with a bit of Perl from a php background. I like the way Perl kind of cocoons me with the CGI.pm and the auto tainted data and the like. But I am a little confused with something most likely very minor.

I have a form, and I want to return the users to the form if the type something that is not valid to that field. If it's not valid then the input does not get assigned to the var and the user is back at the form..

My Question is, when re-populating the form with the users post data, is there any reason why that will need to be untainted seeing as though I am simply re-printing it into the field...

I have a feeling it should be but not sure just how smart the CGI.pm is when it comes to taking apart the url encoded string.

Little sample data below.

PHP Code:

print "<p class='error'>$errors{'phone'}</p><br />\n" if ($errors{'phone'});
print 
"<label for='phone'>Telephone: </label>";
print 
"\t\t"$fd->textfield(-name=>'phone',
                             -
id=>'phone'
                             -default=>
$fd->param('phone'),
                             -
override=>1), "<br />\n"

(above: I know it's not php code but I, myself like syntax coding :)
Just wondering what the best practice is, all help appreciated.

Su-Shee 04-27-2009 10:05 AM

That's because Perl's tainting is contagious. :) Everything that relys on data that already has been recognized as tainted, will also be considered tainted.

Check this article, there are several examples for illustration:

http://www.webreference.com/programming/perl/taint/

And if CGI.pm isn't what you really want, check one of the other web-stuff modules, there are many, many more.

sundialsvcs 04-27-2009 08:22 PM

It is advisable to sanitize everything, even when you are echoing back a form that contains invalid inputs. Don't let the user send back garbage, even to himself.

Nick0.jd 04-28-2009 03:02 AM

Thanks!
 
Roger that, thanks for the replies

Now I have the field validate (which in turn un-taints the data) then if it fails validation it is simple untainted and returned. See below :)

Code:

$fname = &val_name($fd->param('fname'),first);

print "<p class='error'>$errors{'first'}</p><br />\n" if ($errors{'first'});
print "<label for=\'fname\'>Firstname: </label>\n";
print $fd->textfield(-name=>'fname',
                    -id=>'fname',
                    -default=>$fname,
                    -override=>1,
                    -maxlength=>30), "<br />\n";

sub val_name
{
    my $a = shift;
    my $b = shift;
    if ($a =~ /^([a-z]?'?[a-z]{2,30}-?[a-z]{0,20})$/i) {
        $a = $1;
    } else {
        $a =~ s/\"//g;
        %errors->{ $b } = "Please enter a valid $b-name...";
    }
    return $a;
}

Feel free to criticize, like I said, new to Perl and stuff so learning as I go :)

@ Su-Shee: going to read through the article now to see if I missed anything.

Nick0.jd 04-28-2009 10:35 PM

he he, Nerdy Nicky continues to learn :) Slimmed down the regex, makes a lil more sense now I think.

Code:

sub val_name
{
    my $a = shift;
    my $b = shift;
    if ($a =~ /^([-a-zA-Z']{2,30})$/i) {
        $a = $1;
    } else {
        $a =~ s/\"//g;
        %errors->{ $b } = "Please enter a valid $b-name...";
    }
    return $a;
}

Just a lil prettier :)


All times are GMT -5. The time now is 05:42 AM.