[Omaha.pm] Sanitizing user input to use in a regexp search.
Jay Hannah
jay at jays.net
Fri Jan 22 16:58:02 PST 2010
On 1/22/2010 5:23 PM, Sterling Hanenkamp wrote:
> On Fri, Jan 22, 2010 at 4:55 PM, Dan Linder <dan at linder.orgwrote:
> $mycgi = CGI->new();
> $search_string = $mycgi->param('SEARCHSTRING);
> if ($data =~ /$search_string/io) {
> # Do something if we match...
> }
>
> My understanding is that it is/might be possible to get bad data
> pushed into the $search_string and cause the /regexp/ call execute it
> or perform something not intended. But if I
>
> Or am I/we being overly cautious? I've tried stuffing a number of bad
> things into the field and they don't seem to have any bad effect.
>
> You are definitely not being overcautious. Try searching for:
>
> (?{open FH,"/etc/passwd";local $/;print <FH>})
>
> I'd recommend running anything through quotemeta() before using it in
> your regexp.
I like the quotemeta() suggestion. I wonder if that's foolproof.
I can't get the exploit to run. I keep getting this:
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{open
FH,"/etc/passwd";local $/;print <FH>})/ at j.pl line 6.
I guess that makes me a bad cracker. :)
Does taint mode help here? It's one of those things I should probably
use/learn, but never have:
http://perldoc.perl.org/perlsec.html#Taint-mode
If people are only supposed to be able to search for alphanumerics, you
could filter their input.
$search_string = $mycgi->param('SEARCHSTRING);
$search_string =~ s/\W//g;
or be more specific/lenient...
$search_string =~ s/[^a-z0-9 ]//g;
or similar. Perhaps \Q \E makes you safe? (perldoc perlre)
if ($data =~ /\Q$search_string\E/io) {
# Do something if we match...
}
$search_string is still interpolated, but any regex fanciness is disabled.
HTH,
j
More information about the Omaha-pm
mailing list