[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

[MacPerl] cgi script sample with cgi.pm and taint check



Hello Mac Perl Fans

There were some postings who had trouble with cgi scripts.
The whole thing gets really wired if you also use taint checks.
You should do it if you write cgi-skripts, but unfortuanetly
the MacPerl does not find it's libaries any more,
especially not the cgi.pm.
I have written a small example skript: A calculator.
you can type in 3*(7-2) and get back the result.
the script use the eval function, so complex arithmetic
expressions are possible, but a hacker could use the eval
function. so input checking is essential, and taint check
tests that we have made no silly mistakes.

You can test the following skript offline (without webserver):
1) open it with MacPerl
2) check "Taint Check" in the Script Menu.
   check also "Warnings" if you have not already.
3) run the skript
you should see the following message in the MacPerl Window:

  (offline mode: enter name=value pairs on standard input)

4) type in the parameters. In this example,
we have one parameter named calc:

calc=4*5

Note:
Cgi.pm konverts the + in offline mode to a space.
so calc=2+2 does not work offline, but it works online.

5) type CRTL-D to tell MacPerl that input is finished

MacPerl will output HTML-Code

6) copy&paste the html-code and proof it with a browser

And now the skript:

#!perl -wT
#----------------------------------------------------------------
# calc.pl - simple calculator
# with high security
# using taint check on Mac

# If you do CGI, you should turn Taint Check on
# (MacPerl: Script Menu)
# Unfortunately we need the following Lines on MacPerl
# you also need at least MacPerl 5.16
BEGIN {
  my $f = $ENV{MACPERL};
  $f =~ /^(.+)$/;
  unshift @INC,
    "${1}lib:$MacPerl::Architecture:",
    "${1}lib:";
# uncomment next line if you can not include CGI.pm
# print @INC, "\n";
}
#--------------------
# now the real stuff:

use CGI qw(:standard);			# load CGI Modul

print header;			        # generates Content-type...
print start_html('Simple Calculator'),
       h1("Calculator");	        # headline

print start_form,
       "calculate: ",
       textfield('calc'),
       submit,
       endform,
       hr, "\n";

if( param() )			# if not first time called
{                               # then we also print result
 	$userinput = param('calc');

  # now check if user has not put in bad chars
  # otherwise the user could type in something like
  # "unlink('::Systemfolder:Finder');"

 	if($userinput =~ /^([0-9+*\/\-\(\) ]+)$/ )
 	{
 	    $tocalc = $1;               # $1 is all in parens of regex above
  	    $result = eval($tocalc);	# use perl to compute the result
 	    print "The result of $tocalc ist $result";
 	}
 	else
 	{
 		print "please put in only numbers and operators.";
 	}
}
print end_html;				# standard HTML End

-------------------------
End of Skript
If you can read german, you can see the unix-version of this script
in action and also get more info about internet and mac security at my website:
http://meier-online.com/develop/safety

regards

Karsten Meier


---------------------------------------------------------------------
Karsten Meier

WWW: http://meier-online.com with following highlights:
 * German MacPerl Primer * XTensions for use with QuarkXPress
EMail krstnmr@ibm.net
Unsolicited and/or commercial email is not permitted at this address.



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch