Re^2: Form, Input, Taint related

CGI.pm is probably the best way to get at the form data, especially if you're new to perl and/or CGI programming.

That being said, I don't like CGI.pm because it does too much work -- it both handles receiving input, and creating HTML through a whole bunch of functions that pollute your namespace. I don't like that DISABLE_UPLOADS and POST_MAX aren't set by default, and the note that they're a security risk is buried in the documentation. (see Ovid's CGI::Safe)

I wish that Lincoln Stein would split up the HTML generating bits, and the CGI handling into seperate modules, so that I could just load the part that I want to use, without needing to resort to other modules (CGI::Lite, CGI::Base, etc.) or hacking at it myself and keeping it in sync with updates.

Comment on Re^2: Form, Input, Taint related

Replies are listed 'Best First'.
Re: Form, Input, Taint related by Anonymous Monk on Apr 15, 2005 at 17:49 UTC
Thanks for the replies! Well instead of CGI.pm, as of now I'm using this example I got from a web site. sub startup { $query=$ENV{'QUERY_STRING'}; if ($query) { @pairs=split(/&/,$query); } else { read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); @pairs = split(/&/, $buffer); } foreach $pair (@pairs) { $something_in=1; ($name, $value) = split(/=/, $pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $name =~ tr/+/ /; $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; if ($INPUT{$name}) { $INPUT{$name} = $INPUT{$name}.",".$value; + } else { $INPUT{$name} = $value; } } } #then when I want to retrieve a value for the input field called "name +", then I will use: &startup; print "$INPUT{'name'} [download] This is the other alternative I was talking about. Is this as safe as using CGI.pm Input method? Thanks!	[reply] [d/l]
Re^2: Form, Input, Taint related by merlyn (Sage) on Apr 15, 2005 at 20:48 UTC
Uh, no. This fails to handle modern form encodings, and select-multiple fields in any useful way. And probably a few dozen other shortcomings. Use CGI.pm, please. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^2: Form, Input, Taint related by jhourcle (Prior) on Apr 15, 2005 at 22:03 UTC
The biggest issue that I see is that you're trusting the CONTENT_LENGTH header, and not placing any restriction, to make sure that someone doesn't claim it to be 50GB or some other excessive number. It's possible that because the values weren't being tested for taint, that they might cause other problems, but I don't know how you're using the data. If you're just printing to a log (that you're viewing with only a text editor), or report, or whatever, you might be just fine with the rest of it. If you use input as the basis for something that results in a filename, system call, database call, e-mail, or anything else that can be abused, you might want to rethink how values are being parsed. Although there's a bit of overhead from CGI.pm, because of all of the HTML generation bits, that you won't be using, it can provide for more robust input handling, and the ability to fix things in one spot, rather than spread across every file that handles CGI input. Make sure you look at the notes in CGI::Safe, though.	[reply]