[Omaha.pm] Thoughts?

Jay Hannah jhannah at omnihotels.com
Thu Jul 28 12:18:12 PDT 2005 

I like idea #2, activated when you *know* you're not going to do anything exploitable.

But I don't like the switch RawCGI=>1. 

I'd vote for the RARE use of:

   my $page = new View::Web::Page(Globals=>$Globals,Safe=>0);

In the constructor default Safe to 1 (on/true).

   $Safe = 1 unless (defined $Safe);
   if ($Safe) {
      foreach my $param ($q->param()) {
        # Strip out all wacky characters to prevent SQL injections
   ...etc...

$0.02,

j



> So, I ran into an issue using View::Web::Page and file 
> uploads. Jay helped point me to a function of the class that 
> "cleans" all the q->params() to stop sql attacks. 
> Unfortunately, it also strips all the backslashes out of my 
> filepath that IE pukes into the form-data (mozilla 
> conveniently removes all but the filename in formposts) 
> making it difficult to parse the filename.
> 
>  
> 
> I figure there's 2 ways to address this without reducing the 
> attack consideration:
> 
>  
> 
> 1. Specifically ignore 'special' params :
>     foreach my $param ($q->param()) {
> 
>       # Strip out all wacky characters to prevent SQL injections
>       #
>       If ($param ne 'fileupload') {
>         my $value = $q->param($param);
>         $value =~ s/[`;'"\\]//g;
>         $q->delete($param);
>         $q->param($param,$value);
>         if ($param =~ /^(view|edit|update|delete|insert)__/) {
>           my @arr = split /__/, $param;
>           $pagemode = shift @arr;
>           $pagename = shift @arr;
>           $pageid   = join('__', @arr);
>           last;
>         }
>       }
>     }
> 
>  
> 
> 2. instantiating it like this
> 
> my $page    = new View::Web::Page(Globals=>$Globals,RawCGI=>1);
> 
> and adding an if around this block of code 
> 
>   if (!$RawCGI) {
>     foreach my $param ($q->param()) {
>       # Strip out all wacky characters to prevent SQL injections
>       #
>       my $value = $q->param($param);
>       $value =~ s/[`;'"\\]//g;
>       $q->delete($param);
>       $q->param($param,$value);
>       if ($param =~ /^(view|edit|update|delete|insert)__/) {
>         my @arr = split /__/, $param;
>         $pagemode = shift @arr;
>         $pagename = shift @arr;
>         $pageid   = join('__', @arr);
>         last;
>       }
>     }
>   }
>  
> 
> Thoughts?

More information about the Omaha-pm mailing list