Re: [analog-help] Perl to ASP

Mon, 6 Dec 1999 05:04:05 -0800 

Sorry, I did not make my self clear.  I have implemented the forbidden array
within the ASP script and I have also appended other forbidden characters to
the array.

Aengus Lawlor wrote:

> Dave Cobb wrote:
>
> >Stephen Turner wrote:
> >
> >> On Thu, 2 Dec 1999, Dave Cobb wrote:
> >> > Rundown:  form details (e.g. commands) are passed to ASP script,
> >> > script gets form values splits them into appropriate command names
> >> > and commands, these are concatenated into a command line string
> >> > which formats the output using the +C command.
> >>
> >> You're editing out the commands in anlgform.pl's @forbidden array are
> >> you?
> >
> >No. See below
> >
> >> Do you obey the same syntax as anlgform? For example, FLOORA and
> >> FLOORB, or COMMAND1 and COMMAND2. Or will people need new forms as
> >> well?
> >
> >The way which it works is that ANY command can be passed from the form,
> >this makes it futureproof - BUT here is the security risk.  If any
> >command is passed then someone can hack the commands passed from the
> >form and execute anything on a command line basis. Therefore parsing
> >form contents is required, e.g. no carriage returns or \n\r, etc..
>
> You're reinventing the wheel - the techniques in the perl script are
> well thought out, and it makes more sense to implement these techniques
> in an ASP script than to use a totally new methodology. I don't see
> futureproofing as an issue - there are certain commands that simply
> aren't appropriate in the Web interface, and it is important to filter
> them out.
>
> Aengus
> ------------------------------------------------------------------------
> This is the analog-help mailing list. To unsubscribe from this
> mailing list, send mail to [EMAIL PROTECTED]
> with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
> List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
> ------------------------------------------------------------------------

--
Dave Cobb - Web Developer
Omniplex New Media
www.omniplex.co.uk
TEL: 01780 489190
FAX: 01780 489199


------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------

Reply via email to