Click Here!
home account info subscribe login search My ITKnowledge FAQ/help site map contact us


 
Brief Full
 Advanced
      Search
 Search Tips
To access the contents, click the chapter and section titles.

Perl CGl Programming: No experience required.
(Publisher: Sybex, Inc.)
Author(s): Erik Strom
ISBN: 0782121578
Publication Date: 11/01/97

Bookmark It

Search this book:
 
Previous Table of Contents Next


What’s in a Form: Security Issues

HTML text input types and TEXTAREA fields allow a visitor to type in just about anything. This makes the HTML text types quite useful in terms of gathering information. However, they are your largest window of vulnerability to attack by malicious or clumsy visitors, too.

There isn’t much you can do about obscene or libelous entries in a guest book, unless you write your Perl script to filter out the “seven dirty words” or some such thing. Putting a table of obscenities together might be a fascinating exercise but, in the end, it would be a waste of time.

The list is probably somewhat longer since George Carlin first drew it up anyway!


TIP:  You’ll learn how to delete entries from the guest book in Skill 13.

But little troglodytes who spray-paint nasty words in your guest book are merely an annoyance.

A bigger worry for you should be the amount of text a visitor can enter in one field. For example, it would be relatively simple for a visitor from the Dark Side to crank up a file transfer and dump a few megabytes of garbage into the First Name: field of your form. If you hadn’t planned for that possibility, the garbage would hopelessly clog up the CGI program that you’ve hooked up to the HTML document. Assuming it made it through the Perl script without crashing it—and your Web server—it would needlessly hog disk space in the guest book file.

Perhaps the worst part would be when other visitors wanted to look at the guest book and got page after page of strange hieroglyphs instead, maybe even crashing their browsers.

A good start at limiting this sort of nonsense can be found in the text declarations in guestbook.html.

   <TD> <INPUT TYPE="text" NAME="first_name" SIZE="24"
    MAXLENGTH="30"> </TD>

The MAXLENGTH tag tells the browser to accept a maximum number of characters in the field. Note that we have made it slightly larger than the width of the field, itself, in case someone really does have a long first_name. But there’s a great deal of difference between 30 and 30 million bytes.

Unfortunately, HTML’s TEXTAREA tag, which allows the user to type in more than one line of text, has no provision for limiting the amount that goes into it. You’ll fall back on a second line of defense for that: the Perl-CGI script itself.


NOTE:  The WRAP=”virtual” parameter in guestbook.html’s TEXTAREA tag is a non-standard HTML command that “wraps” text in the window. In other words, when the user types to the edge of the window, the text automatically word-wraps down to the next line. The WRAP parameter was added by Netscape, but it’s supported by Microsoft’s Internet Explorer. Other values for WRAP are “off” (the default case), in which the user must press the [return] key to bring the cursor to the next line; and “physical,” which has the same behavior as “virtual” but actually places new line characters into the text at the end of each line.

A Last Word on Security

It’s possible to enter system commands and HTML code into an HTML text field such as the ones you used in the guest book programs. Sometimes this can actually damage your system if your Perl code takes any of the text and executes it as a system command.

It’s also possible to enter a URL into one of the text fields. For example, a visitor could drop the path to a picture file into the Comments field of the guest book, as illustrated in Figure 7.7.


Figure 7.7:  A picture gets into the guest book

Figure 7.8 illustrates how easy it is.


Figure 7.8:  A URL in a form text field

The picture in Figure 7.7 certainly is not going to harm anything, but it could have been something not so nice. In any event, it isn’t what you intended to have in the guest book, is it?

The easiest way to guard against such intrusions is to filter out characters that obviously go into HTML code, shell commands, or URLs.

Adding one small code block to addguest.pl will provide the filter:

   # Go through each element in @InfoArray, split off the
   # "variable=" part, then translate pluses into spaces and
   # any escaped hex chars back into their real character values.

       for ($n = 0; @InfoArray[$n]; $n++)
           {
           ($dummy, $temp) = split (/=/, @InfoArray[$n]);
           $temp =∼ tr/+/ /;
           $temp =∼ s/%([\dA-Fa-f][\dA-Fa-f])/pack ("C", hex ($1))/eg;
           * if ($temp =∼ /[;<>&\*`|]/)
→          {
→          print "Illegal entry!!\n";
→          exit;
→          }
           @InfoArray [$n] = $temp;
           }

Calling exit to just drop the program is merely a suggestion; you can proceed in any way you want. The point is this: There is no reason for any of the characters in the test to be in a guest book entry and there is every reason for any of them to be in something you don’t want.

This is just one more line in your defenses.


EXERCISE:  The Sambar Server: Building Your Web Site

The task after going through this skill is obvious: Add a guest book to your Sambar Web site.

However, now that you have learned how to store and retrieve HTML form information from disk files, you can go back to the work you did in Skill 6 and expand on it:

  Build on what you’ve learned in this skill to make a guest book for your Web site.
  Think about what you might do with the information you’ll gather from your polling forms (from Skill 6); use your imagination.
  Collate the form information and write a Perl-CGI program to display it.

Moving On

In the next skill, you will delve into the boon and bane of server-side includes, and other methods of creating dynamic Web pages and graphics.

Are You Experienced?

Now you can…

  create a guest book for your Web site
  store guest entries in a file on disk and call up the entire list for display in a Web page
  pack and unpack binary data for storage in structured database files
  equip your Web site with some basic security measures to gaurd against unwanted entries


Previous Table of Contents Next


Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home

Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.