Perl CGI form security

Nick0.jd · 04-26-2009, 04:38 AM

Howdy all,

Just playing with a bit of Perl from a php background. I like the way Perl kind of cocoons me with the CGI.pm and the auto tainted data and the like. But I am a little confused with something most likely very minor.

I have a form, and I want to return the users to the form if the type something that is not valid to that field. If it's not valid then the input does not get assigned to the var and the user is back at the form..

My Question is, when re-populating the form with the users post data, is there any reason why that will need to be untainted seeing as though I am simply re-printing it into the field...

I have a feeling it should be but not sure just how smart the CGI.pm is when it comes to taking apart the url encoded string.

Little sample data below.

PHP Code:


			
print "<p class='error'>$errors{'phone'}</p><br />\n" if ($errors{'phone'});

print "<label for='phone'>Telephone: </label>";

print "\t\t", $fd->textfield(-name=>'phone',

                             -id=>'phone', 

                             -default=>$fd->param('phone'),

                             -override=>1), "<br />\n";

(above: I know it's not php code but I, myself like syntax coding

Just wondering what the best practice is, all help appreciated.

Su-Shee · 04-27-2009, 09:05 AM

That's because Perl's tainting is contagious.

Everything that relys on data that already has been recognized as tainted, will also be considered tainted.

Check this article, there are several examples for illustration:

http://www.webreference.com/programming/perl/taint/

And if CGI.pm isn't what you really want, check one of the other web-stuff modules, there are many, many more.

sundialsvcs · 04-27-2009, 07:22 PM

It is advisable to sanitize everything, even when you are echoing back a form that contains invalid inputs. Don't let the user send back garbage, even to himself.

Nick0.jd · 04-28-2009, 02:02 AM

Roger that, thanks for the replies

Now I have the field validate (which in turn un-taints the data) then if it fails validation it is simple untainted and returned. See below

Code:

$fname = &val_name($fd->param('fname'),first);

print "<p class='error'>$errors{'first'}</p><br />\n" if ($errors{'first'});
print "<label for=\'fname\'>Firstname: </label>\n";
print $fd->textfield(-name=>'fname',
                     -id=>'fname',
                     -default=>$fname,
                     -override=>1,
                     -maxlength=>30), "<br />\n";

sub val_name
{
    my $a = shift;
    my $b = shift;
    if ($a =~ /^([a-z]?'?[a-z]{2,30}-?[a-z]{0,20})$/i) {
        $a = $1;
    } else {
        $a =~ s/\"//g;
        %errors->{ $b } = "Please enter a valid $b-name...";
    }
    return $a;
}

Feel free to criticize, like I said, new to Perl and stuff so learning as I go

@ Su-Shee: going to read through the article now to see if I missed anything.

Nick0.jd · 04-28-2009, 09:35 PM

he he, Nerdy Nicky continues to learn

Slimmed down the regex, makes a lil more sense now I think.

Code:

sub val_name
{
    my $a = shift;
    my $b = shift;
    if ($a =~ /^([-a-zA-Z']{2,30})$/i) {
        $a = $1;
    } else {
        $a =~ s/\"//g;
        %errors->{ $b } = "Please enter a valid $b-name...";
    }
    return $a;
}

Just a lil prettier