[Omaha.pm] Sanitizing user input to use in a regexp search.

Fri Jan 22 16:58:02 PST 2010

On 1/22/2010 5:23 PM, Sterling Hanenkamp wrote:
> On Fri, Jan 22, 2010 at 4:55 PM, Dan Linder <dan at linder.orgwrote:
>         $mycgi = CGI->new();
>         $search_string = $mycgi->param('SEARCHSTRING);
>         if ($data =~ /$search_string/io) {
>             # Do something if we match...
>         }
>
>     My understanding is that it is/might be possible to get bad data
>     pushed into the $search_string and cause the /regexp/ call execute it
>     or perform something not intended.  But if I
>
>     Or am I/we being overly cautious?  I've tried stuffing a number of bad
>     things into the field and they don't seem to have any bad effect.
>
> You are definitely not being overcautious. Try searching for:
>
> (?{open FH,"/etc/passwd";local $/;print <FH>})
>
> I'd recommend running anything through quotemeta() before using it in
> your regexp.

I like the quotemeta() suggestion. I wonder if that's foolproof.

I can't get the exploit to run. I keep getting this:

    Eval-group not allowed at runtime, use re 'eval' in regex m/(?{open 
FH,"/etc/passwd";local $/;print <FH>})/ at j.pl line 6.

I guess that makes me a bad cracker.  :)

Does taint mode help here? It's one of those things I should probably 
use/learn, but never have:

    http://perldoc.perl.org/perlsec.html#Taint-mode

If people are only supposed to be able to search for alphanumerics, you 
could filter their input.

    $search_string = $mycgi->param('SEARCHSTRING);
    $search_string =~ s/\W//g;

or be more specific/lenient...

    $search_string =~ s/[^a-z0-9 ]//g;

or similar. Perhaps \Q \E makes you safe?  (perldoc perlre)

    if ($data =~ /\Q$search_string\E/io) {
         # Do something if we match...
    }

$search_string is still interpolated, but any regex fanciness is disabled.

HTH,

j