http://qs1969.pair.com?node_id=57964


in reply to Re: Untainted done right!
in thread Untainted done right!

There's one small caveat with your code. If you are using CGI::Carp _and_ malicious data fails, the data will be printed out back to the browser, data, which could have been construed just to be sent back to the browser (for example, the Slashdot-Cookie-Stealer worked that way, by giving you an URL that was like http://www.slashdot.org/non-existing-directory/<SCRIPT>... evil JavaScript ... , which was then printed out by Slashdot back to the browser, and then run in the browser.

My strategy would be to just log taint-failed data into a file, as you never know exactly how that data got to your machine. Of course, maybe using HTML::Entities could prevent such misuse, as the text will then come back literally instead of interpretable ...

Replies are listed 'Best First'.
Re: Re: Re: Untainted done right!
by arturo (Vicar) on Feb 12, 2001 at 23:50 UTC

    Good point. I just want to mention that one shouldn't be echoing such messages back to the browser in a production environment. i.e. turn this off when you go live with it:

    use CGI::Carp qw(fatalsToBrowser);

    the likes of which are required for this to be a problem.

    Philosophy can be made out of anything. Or less -- Jerry A. Fodor