Dr.Ruud am Dienstag, 25. Juli 2006 00:34:
> D. Bolliger:
> > Dr.Ruud:
> >> D. Bolliger:
> >>> # input sanitizing
> >>> #
> >>> my $re_range=qr/\d+\s*\.\.\s*\d+/;
> >>> $user_input=~/^\s*$re_range(?:\s*,\s*$re_range)*\s*$/
> >>> or die 'invalid input!';
> >>>
> >>> my @list4=eval $user_input;
> >>
> >> An embedded newline can fool that test.
> >>
> >> You can make it much stricter,
> >> by replacing the \s by [[:blank:]],
> >> and the ending $ by \z.
> >>
> >> $re_range = qr/ [[:blank:]]*
> >> \d+
> >> [[:blank:]]*
> >> \.\.
> >> [[:blank:]]*
> >> \d+
> >> [[:blank:]]*
> >> /x ;
> >>
> >> $re_input = qr/\A $re_range (?: , $re_range )* \z/x ;
> >
> > Yes, you are right that space other than ' ' can pass this test, and
> > if only single line input is allowed, it is certainly better to
> > implement the restrictions accordingly.
> >
> > On the other side, even newlines (that pass the test) lead to a
> > string that evals without error.
>
> You're right, a trailing \n doesn't create danger here.
> I wrongly thought that a string like "1..10\n;`rm -rf /`" would match,
> but it doesn't (without an m-modifier).
This reminds me of two things:
- "evals without error" is not a sane criterion while rm -rf / is running :-)
- the sanitising should be improved by using capturing parentesis,
so that even with the m modifier no accident happens, and only that
part of the input string is used afterwards that has been covered
by the check. It's good that the taint mode enforces that...
#!/usr/bin/perl
use strict;
use warnings;
my $re_range=qr/ \d+ \s* \.\. \s* \d+ /x;
my $re_check=qr/^ \s* $re_range (?:\s*,\s*$re_range)* \s* $/mx; # <===
my $user_input="1..10\n;`rm -rf /`";
if ($user_input=~/($re_check)/) {
warn "ok (using \$1):\n<$1>\n\n",
"ouch! (using \$user_input):\n<$user_input>\n";
}
__END__
ok (using $1):
<1..10>
ouch! (using $user_input):
<1..10
;`rm -rf /`>
Dani
[...]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
