in reply to Re^3: How to call external scripts from a CGI-script in taint mode?
in thread How to call external scripts from a CGI-script in taint mode?
No problem, here's the code generating $shellstring:
$shellstring = '-v -in src_alignment.fasta '; foreach my $key (keys(%{$param})) { CASE: { if ($key eq 'groups') { $shellstring .= '-groups "'.$param- +>{'groups'}.'" '; last CASE; } if ($key eq 'ngra') { $shellstring .= '-ngra '; + last CASE; } if ($key eq 'gh') { $shellstring .= '-gh '.$param->{'gh +'}.' '; last CASE; } if ($key eq 'sa') { unless ($param->{'ca'}) { $shellstring .= '-sa '; } # '-ca' o +verrides '-sa' last CASE; } if ($key eq 'ca') { $shellstring .= '-ca '; + last CASE; } if ($key eq 'cg') { $shellstring .= '-cg '; + last CASE; } } }
'src_alignment.fasta' is a file from upload or FORM data from a user, which will be mangled by the external script. '$param->{'groups'}' and '$param->{'gh'}' is tested in another subroutine for validity:
if ($key eq 'groups') { if ($param->{$key} =~ m/[^0-9\,\-\|]/) { # check for illegal charac +ters in group-definition print "\n>>> Illegal characters in groups-definition '".$param-> +{$key}."'! Only 0-9 and , and - and | are allowed!\n"; $error = 1; } last CASE; } if ($key eq 'gh') { if ($param->{$key} =~ m/[^0-9]/) { print "\n>>> Illegal characters in graph-height '".$param->{$key +}."'! Only 0-9 are allowed!\n"; $error = 1; } last CASE; }
If '$error' is found to be 1, the CGI-script exits and prints error messages. As I can see now from the anwers I got here my variables ('groups' and 'gh' especially) are not untainted "enough" or at all...just checking for validity is not enough here as far as I can see.
Thanks a lot for your help!
|
|---|