OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: CERT Advisory CA-97.25 - CGI_metachar

Re: CERT Advisory CA-97.25 - CGI_metachar

Andrew McNaughton (andrewSQUIZ.CO.NZ)
Tue, 11 Nov 1997 17:42:29 +1300 

>Building on this philosophy, the Perl program we presented above could be
>thus sanitized to contain ONLY those characters allowed. For example:
>
>        #!/usr/cert/bin/perl
>        $_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
>        print "$user_data\n";
>        $OK_CHARS='a-zA-Z0-9_\-\.';    # A restrictive list, which
>                                        # should be modified to match
>                                        # an appropriate RFC, for example.
>        eval "tr/[$OK_CHARS]/_/c";
>        $user_data = $_;
>        print "$user_data\n";
>        exit(0);
>

OK, lets test that.  Add a few lines like so...


#!/usr/cert/bin/perl

for (0..255) {
    $ENV{'QUERY_STRING'} .=chr($_);
}

$_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
#print "$user_data\n";
$OK_CHARS='a-zA-Z0-9_\-\.';    # A restrictive list, which
                                        # should be modified to match
                                        # an appropriate RFC, for example.
eval "tr/[$OK_CHARS]/_/c";
s/_//g;
$user_data = $_;
print "$user_data\n";
exit(0);


prints:

-.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ[]abcdefghijklmnopqrstuvwxyz


Those square brackets look unintended and possibly useful

Andrew McNaughton



 The effort to understand the universe is       Andrew McNaughton
 one of the very few things that lifts         Andrewsquiz.co.nz
 human life above the level of farce,
 and gives it some of the grace            http://www.squiz.co.nz
 of tragedy  -  Steven Weinberg         http://www.newsroom.co.nz