ferrency has asked for the wisdom of the Perl Monks concerning the following question:

I have tried to contact the Geektools whois proxy authors through a form submission on their web site (http://www.geektools.com/comments.php) regarding some improvements (in my opinion, anyway) I'd like to contribute to their whois proxy script.

Currently (as of revision 3.1.5), their Perl, web-based whois proxy script is vulnerable to cross-site scripting attacks implemented by embedding html or javascritpt in whois-served domain contact data. The proxy happily displays the html/javascript unescaped.

My solution was to build an option in their proxy.cgi script which uses HTML::Filter to filter out specific HTML tags before displaying the whois information.

We will be deploying this solution on our local installations of the whois proxy script. Their code suggests they'd rather receive patches than complaints about their code. I'd like to submit a patch for this fix, as well as possible future patches to generally clean up the code and make it easier to modify and maintain. But I never heard anything back from them when I submitted comments on their web site.

Does anyone have any better contact information for the fine folks over at Geektools?

Thanks!

Alan

Replies are listed 'Best First'.
Re: Geektools whois proxy
by Mr. Muskrat (Canon) on Jan 07, 2003 at 20:54 UTC

    How about contacting the author of the whois proxy? His name and email address is included in the script... 

    #!/usr/bin/perl
##
## Package:   GeekTools Whois Proxy 3.1.5
## File:      proxy.pl (inetd)
## Author:    Robb Ballard <robb@centergate.com>

    [download]

    Update: The readme says: 

    Comments and suggestions for improvement are always welcome -- send th
+em
to comments@centergate.com.  If you don't like the way the proxy does 
something, please don't whine to us about it.  Fix it and send us a di
+ff,
or just don't use the proxy at all.

    [download]
[reply]
[d/l]
[select]
      Um...
      Good call! Thanks, I missed that.

      Oops.

[reply]
Re: (nrd) Geektools whois proxy
by newrisedesigns (Curate) on Jan 07, 2003 at 20:37 UTC

    A WHOIS on Geektools.com:
    CenterGate Research Group LLC
    420 S. Smith Road
    Tempe, AZ 85281
    480-829-9500

    You could always give them a call. Remember to mention Perl Monks and ask them to sign up if they haven't already. :)

    John J Reiser
    newrisedesigns.com

[reply]
      I'm sorry, I should've been more clear: email or perlmonks contact info would be preferred :) Telephones are far from my preferred method of communication, and if they're anything like me they wouldn't answer anyway :)

      Alan

[reply]
Re: Geektools whois proxy
by Aristotle (Chancellor) on Jan 11, 2003 at 22:34 UTC
    My solution was to build an option in their proxy.cgi script which uses HTML::Filter to filter out specific HTML tags before displaying the whois information.
    Am I missing something? Why not just escape the HTML in their stead and be done with? That's one less dependency (is HTML::Filter a core module? don't think so but not sure) and probably a lot less code, not to mention it's going to be more robust because it will disable anything dangerous whether you have or haven't thought of it.

    Makeshifts last the longest.

[reply]
      I chose to use HTML::Filter in the way that I did for a few reasons:

      1. The biggest reason was, it was very easy. The patch was 25 very fluffy lines of code and configuration. If you don't want to use HTML::Filter, it doesn't require you to have the module installed.
      2. It made it trivial to allow customization of the filters: you can easily configure the list of tags you want removed.
      3. It allows you to let safe things like formatting tags work as intended, while disallowing javascript, forms, etc. Blindly escaping everything that looks remotely HTML-ish doesn't allow this, and writing the code by hand to figure out what to escape and what not to escape is a lot more difficult than using a canned module.
      There's a much easier, faster way than either of our methods to disable anything dangerous whether we have or haven't thought of it. Not installing the proxy in the first place is the easiest solution, and requires the least amount of code and work to implement. But that doesn't make it a good solution, because you lose functionality you would otherwise have if you were willing to put in a bit more effort, and/or accept a certain level of risk.

      The same principle applies here: HTML::Filter isn't as efficient in processing time or code size as something akin to s/</&gt;/g; s/>/&lt;/g;. But it provides functionality that a few simple escaping regexes do not. If you don't need that functionality, then by all means make your design decisions differently. I chose an easily configurable solution partially because it allowed us to do what we needed to do, but also because the code allows other people to do what they need to do as well, even if they have different requirements than I do.

      By way of an update:
      I was able to contact the script's author, and I submitted my patch. The script is currently going through a rewrite, but he expects to release a patched version of the old code before the new version is available. The most important outcome is the fact that the author now knows of a problem in the script that he didn't know about before. If he decides to solve it some way other than the way I used, that's up to him. In the mean time, I'll use the solution I have.

      Update: Sorry to sound defensive; I guess I misinterpreted the tone of your question :)

      Alan

[reply]
[d/l]
        No need to get defensive, I was really just asking the question I posted. What I missed then is the fact that you explicitly wanted to allow some markup. In that case of course HTML::Filter is a very sensible choice.

        Makeshifts last the longest.

[reply]

Back to Seekers of Perl Wisdom