mailing list archives
Re: CGI security: Escape newlines.
From: fc () all net (Fred Cohen)
Date: Tue, 6 Feb 1996 06:51:46 -0500
That document recommends removing or escaping the following characters
in user-supplied data before passing it to a shell:
There is (at least) one character missing from this list: the new line
character. I have never seen the new line character included in a list
of metacharaters to filter.
In my opinion, this is exactly the wrong way to go about providing
adequate security. If you are going to limit syntax as a method for
preventing abuse, you should not be eliminating symbols that are known
to be dangerous, but rather retaining symbols that are known to be safe.
Try retaining ONLY the desired symbols and eliminating all else - and
more generally - allow only what must be allowed and by default,
disallow all else.
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Re: bind() Security Problems Casper Dik (Feb 02)