in reply to Possible Security Hole (was RE: Re: CGI and Traceroute)
in thread CGI and Traceroute

Would this be a better approach?

Update: corrected the code (thanks merlyn); sorry for the delay...

   # assuming -T
   ...
   my $param_cmd = param( 'trace' );
   if ( $param_cmd ) and ( $param_cmd =~ /^[-.0-9a-zA-Z]+$/ )
   {
      $param_cmd = $1;
      print p( "Hello There- I am writing this from " 
               . "scratch so please be patient. Thanks!" ), 
               "<pre>"; 
        
      system( "/usr/sbin/traceroute", $param_cmd ); 
      ...
   }

[download]

(Sorry it this seems basic, but I'm trying to make sure I've learned the right things from the various FAQ's and nodes on the subject...)

Replies are listed 'Best First'.
RE: RE: Possible Security Hole
by KM (Priest) on Oct 19, 2000 at 19:55 UTC
    This may work for you:

    use Untaint;

my @dirty_params = param('trace'); # your array
my @clean_params = untaint(qr(^[-.0-9a-zA-Z]+$), \@dirty_params);

    [download]

    Assuming all members of your array are launderable, you will be returned an array of clean values.

    Cheers,
    KM

[reply]
[d/l]
RE: RE: Possible Security Hole
by Kanji (Parson) on Oct 20, 2000 at 07:16 UTC

    Your parens are a bit off in the if. Try ...

    if ( $param_cmd and $param_cmd =~ /^([-.0-9a-zA-Z]+)$/ ) {

    Note the addition of parens in the regexp so that you save it in $1, as the way you had it would have set $param_cmd to be undefined.

    Also, there's no need for qw() which would've passed a different argument than you expected ...

    system( "/usr/sbin/traceroute", $param_cmd );

      --k.

    ( Ain't life^H^H^H^Hsecurity a biiyatch? :)
[reply]
[d/l]
[select]
RE: RE: Possible Security Hole
by merlyn (Sage) on Oct 20, 2000 at 10:27 UTC
[reply]
[d/l]

In Section Seekers of Perl Wisdom