[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script

To: claes@canit.se (Claes Bjorklund), mac-perl@iis.ee.ethz.ch
Subject: Re: [MacPerl] Dangerous cgi-script
From: Wade Williams <wwilliam@cisco.com>
Date: Thu, 10 Jul 1997 21:25:47 -0500

At 08:57 PM 7/10/97 +0200, Claes Bjorklund wrote:
>>At 9.23 7/10/97, Claes Bjorklund wrote:
>>>Is this this cgi script dangerous?
>>
>>>$math = $FORM{'calc'};
>>>$res=eval "$math";
>>
>>Yes.  Now, it is not as dangerous as it is on a UNIX box, but it is still
>>dangerous.  Any Perl statement can be executed by the web user.
>>
>>Imagine the calculation was something like this, but only more damaging:
>>
>>        MacPerl::Answer('Erase System Folder?', 'OK')
>>
>[...]
>Hi
>
>How I do a script which is safe,I understand must do some check of the
>input, please help me, I am a beginner

Claes,

I'm a beginner too, but you'd be safe in having the Perl script do the
work, not the OS.

That is to say, set up a field for each value, and a popup menu for the
list of available operators.  Make the user use the equations you've
allowed in the form rather than just freehand-typing in an equation.

Then, once you've got all the values and operators from the form, you can
simply let Perl calculate the equation.

Another alternative would be to allow the user to type in the equation
freehand and then you use regular expressions to split it apart into its
component pieces and calculate it.  Naturally, this could out of hand very
quickly since there's a million possible cases to handle, but if you were
to limit it to only a few possibilities (and explain those on the web
page), you could do it without too much trouble.  For example, tell the
user he's limited to addition/subtraction/multiplication/division as
operators.  Then it wouldn't be too terrible to split the equation apart
and have Perl calculate it.

Wade
---------------------------------------------------------------------------
Wade Williams                      "And the trees are all kept equal by
Systems Engineer                    hatchet, axe, and saw."
Cisco Systems, Inc.                       - N. Peart
Brentwood, TN                        
615-221-2918                             
wwilliam@cisco.com    
---------------------------------------------------------------------------

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

Prev by Date: Re: [MacPerl] Dangerous cgi-script
Next by Date: Re: [MacPerl] Dangerous cgi-script
Prev by thread: Re: [MacPerl] Dangerous cgi-script
Next by thread: [MacPerl] Checking user-id's and paswords
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net