Re^2: How to avoid Null Byte Injection

I tried what you said but evenif the user select a valid filename drom the drop down menu his request still gets rejected.
Where did i go wrong in the following code?

my @files = <../data/text/*.txt>;
my @display_files = map /([^\/]+)\.txt/, @files;
Encode::from_to($_, "ISO-8859-7", "utf8") for @display_files;

print br;
print start_form( action=>'index.pl' );
    print h1( {class=>'lime'}, "&#917;&#960;&#941;&#955;&#949;&#958;&#
+949; &#964;&#959; &#954;&#949;&#943;&#956;&#949;&#957;&#959; &#960;&#
+959;&#965; &#963;&#949; &#949;&#957;&#948;&#953;&#945;&#966;&#941;&#9
+61;&#949;&#953; => ",
                                popup_menu( -name=>'select', -values=>
+\@display_files ),
                                submit('&#917;&#956;&#966;&#940;&#957;
+&#953;&#963;&#951;'));
print end_form;

my $passage = param('select') || "&#913;&#961;&#967;&#953;&#954;&#942;
+ &#931;&#949;&#955;&#943;&#948;&#945;!";
Encode::from_to($passage, "utf8", "ISO-8859-7") if param();


if ( param('select') )
{
    unless ( $passage =~ /^[a-zA-Z&#945;-&#969;&#913;-&#937;0-9]+$/ )
    {
    print br() x 2;
    print h1( {class=>'big'},  "*Backward Directory Traversal* hack wi
+ll NOT help you here, Mighty Lamer!" );
        exit;
    }
    
    open(FILE, "<../data/text/$passage.txt") or die $!;
         local $/;
         $data = <FILE>;
    close(FILE);

    Encode::from_to($passage, "ISO-8859-7", "utf8");

    $select = $dbh->prepare( "UPDATE guestlog SET passage=?, date=?, c
+ounter=counter+1 WHERE host=?" );
    $select->execute( $passage, $date, $host );
}
else
[download]

Comment on Re^2: How to avoid Null Byte Injection Download Code

Replies are listed 'Best First'.
Re^3: How to avoid Null Byte Injection by Joost (Canon) on Oct 08, 2006 at 00:23 UTC
since I don't know what's in <../data/text/.txt>, I have no clue what's going on. In any case, since you're building that list anyway, why not do this: `if (grep { $_ eq $passage } @display_files) { # filename ok } else { # not ok }` [download] "What should it profit a man, if he should win a flame war, yet lose his cool?"*	[reply] [d/l]
Re^4: How to avoid Null Byte Injection by Nik (Initiate) on Oct 08, 2006 at 08:53 UTC
In <../data/text/.txt> there iare all the text files index.pl will use and they are loaded in array display_files: This till didtn work: `if ( param('select') ) { unless (grep { $_ eq $passage } @display_files) { print br() x 2; print h1( {class=>'big'}, "Backward Directory Traversal* hack wi +ll NOT help you here, Mighty Lamer!" ); $select = $dbh->prepare( "UPDATE guestlog SET passage=?, date=?, +counter=counter+1 WHERE host=?" ); $select->execute( $passage, $date, $host ); exit; }` [download]	[reply] [d/l]
Re^5: How to avoid Null Byte Injection by chromatic (Archbishop) on Oct 08, 2006 at 20:58 UTC
Nik, you've been here long enough to know that "it didn't work" is fairly meaningless to everyone who wants to try to help you. However, I do suspect that if you've verified that the user is trying to do something naughty, updating the database anyway is probably wrong. If so, your exit is in the wrong place and you need at least one more closing brace.	[reply]
Re^6: How to avoid Null Byte Injection by Nik (Initiate) on Oct 09, 2006 at 08:00 UTC