On Mon, 18 Dec 2000, RoMaN SoFt / LLFB!! wrote:
On Mon, 18 Dec 2000 14:13:45 +0100 (CET), you wrote:
Now I want to protect my CGI. Basically it only takes two strings: one which only contains numbers and other more generic (it can contain ";,|<>"... etc). I want to correctly (=secure) parse the variables
these chars interact with the shell, that's bad. so, don't use shell scripting for your CGI if you use perl or C, then avoid using - open() ..
Hi Thomas. I'm looking for a regexp for "filtering" (/ parsing) those "nasty" chars so you could trust an user-input given variable... well, not exactly trust, but at least avoiding shell escapes & other hacking tricks.
Oh, I misunderstood your mail. I thougt the 2nd input _has_ to include the nasty chars. Well, it's wise to filter the 'good' chars and toss the rest. Example in Shell: CHECK=${1//[0-9a-zA-Z]/} if [ "$CHECK" = "" ]; then echo "OK!" else echo "KO!" exit -1 fi Otherwise the following chars ar known to be bad: | ; ` 0x00 0x20 & <
0x0A .oO( Hope it's all! ) For examples of cgi exploits look at http://www.cgisecurity.com/ . If the input is used with open() and alike take care of '../' and stuff. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47