Re: Re: Untainted done right!


Problems? Is your data what you think it is?
	PerlMonks

Re: Re: Untainted done right!

by Corion (Patriarch)

on Feb 12, 2001 at 23:47 UTC ( [id://57964]=note: print w/replies, xml )

Need Help??

in reply to Re: Untainted done right!
in thread Untainted done right!

There's one small caveat with your code. If you are using CGI::Carp _and_ malicious data fails, the data will be printed out back to the browser, data, which could have been construed just to be sent back to the browser (for example, the Slashdot-Cookie-Stealer worked that way, by giving you an URL that was like http://www.slashdot.org/non-existing-directory/<SCRIPT>... evil JavaScript ..., which was then printed out by Slashdot back to the browser, and then run in the browser.

My strategy would be to just log taint-failed data into a file, as you never know exactly how that data got to your machine. Of course, maybe using HTML::Entities could prevent such misuse, as the text will then come back literally instead of interpretable ...

Comment on Re: Re: Untainted done right!

Replies are listed 'Best First'.
Re: Re: Re: Untainted done right! by arturo (Vicar) on Feb 12, 2001 at 23:50 UTC
Good point. I just want to mention that one shouldn't be echoing such messages back to the browser in a production environment. i.e. turn this off when you go live with it: `use CGI::Carp qw(fatalsToBrowser);` [download] the likes of which are required for this to be a problem. Philosophy can be made out of anything. Or less -- Jerry A. Fodor	[reply] [d/l]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://57964]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others scrutinizing the Monastery: (3)

As of 2024-04-20 15:47 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found