Untainting URLs and their descriptions

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

My most humble question for Monks:

I am writing a script which accepts user input from a Web form. Most input I can untaint with no problem. I have problems with two types, though. Users can enter URLs and descriptions for the URLs. The URLs will be written out to a flat file and sometimes printed to a Web page. Usually, they will be used to redirect a browser. The descriptions will also be written out to a flat file and sometimes printed to a Web page.

My question: What sort of taint checking needs to be done for information which is just being written to a file and sometimes printed to a Web page? This information will not be used in any other way. Are there any security problems with this?

Are there any security problems with using user-entered URLs for redirection? In other words, Joe can only be redirected to URL's that Joe entered.

Any and all assistance would be greatly appreciated!!!

Comment on Untainting URLs and their descriptions

Replies are listed 'Best First'.
Re: Untainting URLs and their descriptions by lhoward (Vicar) on Jul 08, 2000 at 22:53 UTC
For your URL's about all you can do is make sure that they are valid syntactically (they look like URL's) and you can check them with the LWP module to make sure they actually retrieve a page. If the URL passes these 2 tests it should be acceptable. (who knows what the content of the page it links to is, but at least it "works" as an URL). There is more danger from accepting text from users. It could contain many harmful (either directly by doing naughty things, or indirectly by just screwing up your formatting) tags. A good technique is to have a limited set of HTML tags that a user could enter and dump any others (HTML::Parser is be good for this). Definitely dropping the tags that could be a major source of problems (script, frame, form, iframe, etc...). If you want to be paranoid, just drop all HTML tags from users and you will probably be OK.	[reply]
Security Risk by Anonymous Monk on Jul 09, 2000 at 11:23 UTC
Hi, lhoward is right about checking the validity of the url's and the text/html. You should be paranoid, it is a big security risk to allow unchecked text. One very important one is Server Side Includes, because it's just a html comment < ! - - #directive parameter="value" - - >. Server Side Includes are very easily exploitable.	[reply]