Re: Putting HTML fieldnames in symbol space

The CGI module already has a method to do what you describe above:

  my $query=new CGI();
  $query->import_names('C');
  print "C - $C::foo";
[download]

For safety's sake it doesn't let you import into the main namespace. It is not safe to import into the main namespace (or other namespace that you don't reserve for just storing CGI params) because a cracker could overwrite any of your variables. Consider what would happen with the code I put below if a hacker "submitted" to the form with (the CGI formatted version of ) "cmd=rm -f /*". Where you weren't expecting cmd to be passed as a CGI param.

my $cmd="ls";
foreach $key (CGI::param()) { ${$key} = CGI::param($key) }
system $cmd;
[download]

Kind of a silly example but it does demonstrate the veunerability of arbitrarily importing CGI parameters into the main namespace.

Comment on Re: Putting HTML fieldnames in symbol space Select or Download Code

Replies are listed 'Best First'.
RE: Re: Putting HTML fieldnames in symbol space by btrott (Parson) on May 27, 2000 at 03:12 UTC
This is a very nice example. However, you shouldn't have declared $cmd lexically--doing so means that your example isn't very dangerous at all. :) Because that for loop overwrites $main::cmd... not the lexical $cmd that you've already defined. When you use $cmd w/o using a package qualifier, you're using the lexical $cmd, if one exists--and one does exist, in this case. So you're still just doing `system "ls";` [download] Make your $cmd a package global, and then it's dangerous again. Of course, your point is made either way. :)	[reply] [d/l]
RE: Re: Putting HTML fieldnames in symbol space by Russ (Deacon) on May 27, 2000 at 03:05 UTC
Great point, lhoward!!! I was too shocked to come up with the most important reason not to do this. It is definitely a security breach waiting to happen. Of course, no one is 'system'ing anything from the user (I'd have fainted dead away (and flat forbidden him from doing so) had they been doing that!), but security is certainly the best argument against this nonsense. Thanks!	[reply]