Re: Safely passing CGI form data to a shell command

I would require that those terms passed the most restrictive regexp (maybe /^[a-z']+$/i) that would capture the arguments to dict. I.e., adding your whitespace stripping:

my @untainted =
  grep $_,
  map { s/^\s*([a-z']+)\s*$/$1/i; $_ }
  @terms;
[download]

(NB: I have not confirmed that /^[a-z]+$/i indeed matches all valid arguments to dict.)

the lowliest monk

Comment on Re: Safely passing CGI form data to a shell command Select or Download Code

Replies are listed 'Best First'.
Re^2: Safely passing CGI form data to a shell command by Tommy (Chaplain) on Apr 21, 2005 at 17:16 UTC
But then I wonder what happens to searches like "résumé" ?? Should I support dictionary lookups on words in other languages? Spanish for example has words like "tú". And that presents another error altogether. If I ask dict to look up such a word for me, it complains... "error: The request is not a valid UTF-8 string". But that error isn't a Perl-related I don't think. Or is it? Do I need to escape unicode in a special way before dict-ing for words that contain it? -- Tommy Butler, a.k.a. Tommy	[reply]

Replies are listed 'Best First'.

Re^2: Safely passing CGI form data to a shell command
by Tommy (Chaplain) on Apr 21, 2005 at 17:16 UTC

But then I wonder what happens to searches like "résumé" ?? Should I support dictionary lookups on words in other languages? Spanish for example has words like "tú".

And that presents another error altogether. If I ask dict to look up such a word for me, it complains... "error: The request is not a valid UTF-8 string". But that error isn't a Perl-related I don't think. Or is it? Do I need to escape unicode in a special way before dict-ing for words that contain it?

--
Tommy Butler, a.k.a. Tommy

[reply]