Home page logo

bugtraq logo Bugtraq mailing list archives

Re: CGI security: Escape newlines.
From: angio () aros net (Dave Andersen)
Date: Mon, 5 Feb 1996 22:46:38 -0700

Lo and behold, Jennifer Myers once said:

There are a good set of security guidelines at:

That document recommends removing or escaping the following characters
in user-supplied data before passing it to a shell:


There is (at least) one character missing from this list: the new line
character.  I have never seen the new line character included in a list
of metacharaters to filter.

[lossy compression]

  Suggested fix:

Very simple.  Add the character \n (the new line character) to the
list of characters to REMOVE from user-supplied data before
suppling it to a shell in a CGI program.

   While there's no doubt that this fix works like a charm for dealing
with this particular hole, it seems to perpetuate one "goof" in the way
CGI scripts handle input data.  There's a very good lesson to be learned
from the adage "deny everything not expressly permitted."

  In this case, I submit that it's a BETTER solution to filter by:


 in which case, you know _exactly_ what characters your program will be
processing and you don't have to worry about extraneous cases like
someone dreaming up some flaw in your script where an unexpected control
character will wreak havoc.

   If you're really paranoid, preference it with something to detect
someone screwing around:

   if (/;<>*|`&$!#()[]{}:'"/) {
        &notify_me("Someone tried to hack us from $ENV{"REMOTE_ADDR"}
                    ($ENV{"REMOTE_HOST"})!  Make a note of it.\n";

   and afterwords, do the same "sanitizing" tr to make sure you didn't let
anything slip.

   As an aside, much of this is documented quite well in Paul Phillips'
secure-cgi page which you mentioned above.

    -Dave Andersen

angio () aros net                Complete virtual hosting and business-oriented
system administration         Internet services.  (WWW, FTP, email)
http://www.aros.net/          http://www.aros.net/about/virtual/
  "There are only two industries that refer to thier customers as 'users'."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]