LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices



Reply
 
Search this Thread
Old 04-26-2009, 05:38 AM   #1
Nick0.jd
LQ Newbie
 
Registered: Apr 2009
Location: Australia
Distribution: Debian (Desktop), Xubuntu (eee701)
Posts: 11

Rep: Reputation: 1
Perl CGI form security


Howdy all,

Just playing with a bit of Perl from a php background. I like the way Perl kind of cocoons me with the CGI.pm and the auto tainted data and the like. But I am a little confused with something most likely very minor.

I have a form, and I want to return the users to the form if the type something that is not valid to that field. If it's not valid then the input does not get assigned to the var and the user is back at the form..

My Question is, when re-populating the form with the users post data, is there any reason why that will need to be untainted seeing as though I am simply re-printing it into the field...

I have a feeling it should be but not sure just how smart the CGI.pm is when it comes to taking apart the url encoded string.

Little sample data below.

PHP Code:
print "<p class='error'>$errors{'phone'}</p><br />\n" if ($errors{'phone'});
print 
"<label for='phone'>Telephone: </label>";
print 
"\t\t"$fd->textfield(-name=>'phone',
                             -
id=>'phone'
                             -default=>
$fd->param('phone'),
                             -
override=>1), "<br />\n"
(above: I know it's not php code but I, myself like syntax coding
Just wondering what the best practice is, all help appreciated.
 
Old 04-27-2009, 10:05 AM   #2
Su-Shee
Member
 
Registered: Sep 2007
Location: Berlin
Distribution: Slackware
Posts: 509

Rep: Reputation: 41
That's because Perl's tainting is contagious. Everything that relys on data that already has been recognized as tainted, will also be considered tainted.

Check this article, there are several examples for illustration:

http://www.webreference.com/programming/perl/taint/

And if CGI.pm isn't what you really want, check one of the other web-stuff modules, there are many, many more.
 
Old 04-27-2009, 08:22 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
It is advisable to sanitize everything, even when you are echoing back a form that contains invalid inputs. Don't let the user send back garbage, even to himself.
 
Old 04-28-2009, 03:02 AM   #4
Nick0.jd
LQ Newbie
 
Registered: Apr 2009
Location: Australia
Distribution: Debian (Desktop), Xubuntu (eee701)
Posts: 11

Original Poster
Rep: Reputation: 1
Thanks!

Roger that, thanks for the replies

Now I have the field validate (which in turn un-taints the data) then if it fails validation it is simple untainted and returned. See below

Code:
$fname = &val_name($fd->param('fname'),first);

print "<p class='error'>$errors{'first'}</p><br />\n" if ($errors{'first'});
print "<label for=\'fname\'>Firstname: </label>\n";
print $fd->textfield(-name=>'fname',
                     -id=>'fname',
                     -default=>$fname,
                     -override=>1,
                     -maxlength=>30), "<br />\n";

sub val_name
{
    my $a = shift;
    my $b = shift;
    if ($a =~ /^([a-z]?'?[a-z]{2,30}-?[a-z]{0,20})$/i) {
        $a = $1;
    } else {
        $a =~ s/\"//g;
        %errors->{ $b } = "Please enter a valid $b-name...";
    }
    return $a;
}
Feel free to criticize, like I said, new to Perl and stuff so learning as I go

@ Su-Shee: going to read through the article now to see if I missed anything.

Last edited by Nick0.jd; 04-28-2009 at 03:40 AM. Reason: s/^\"$//g; was a silly idea. Will only take out the " if it;s the only thing there.
 
Old 04-28-2009, 10:35 PM   #5
Nick0.jd
LQ Newbie
 
Registered: Apr 2009
Location: Australia
Distribution: Debian (Desktop), Xubuntu (eee701)
Posts: 11

Original Poster
Rep: Reputation: 1
he he, Nerdy Nicky continues to learn Slimmed down the regex, makes a lil more sense now I think.

Code:
sub val_name
{
    my $a = shift;
    my $b = shift;
    if ($a =~ /^([-a-zA-Z']{2,30})$/i) {
        $a = $1;
    } else {
        $a =~ s/\"//g;
        %errors->{ $b } = "Please enter a valid $b-name...";
    }
    return $a;
}
Just a lil prettier
 
  


Reply

Tags
cgi, forms, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to write to a file from a form with perl, and not leave the form page. OldGaf Programming 3 11-12-2008 08:53 PM
Exec CGI within a form field newuser455 General 0 09-12-2004 02:50 PM
Form processing with cgi and uclinux GridX Programming 2 04-12-2004 11:38 PM
cgi perl : I cant get perl to append my html file... the_y_man Programming 3 03-22-2004 06:07 AM
CGI guestbook cant see form amp2000 Programming 2 10-31-2001 02:37 PM


All times are GMT -5. The time now is 03:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration