|
|
Posted by Lisa Pearlson on 11/11/05 20:55
I agree, but some characters are valid in names in some countries, like
"Gert-Jan v/d Boer". So sometimes it can actually be harder to know what to
expect, than it it to know what is definitely wrong (like specific key words
or SQL statements).
"Philip Ronan" <invalid@invalid.invalid> wrote in message
news:BF9A6AFB.3AB44%invalid@invalid.invalid...
> "Lisa Pearlson" wrote:
>
>> They can also inject stuff in the "Subject" line..
>>
>> You should run your name, e-mail and subject lines through a test
>> function
>> like mine:
>>
>> function isUnsafe($str)
>> {
>> if (eregi('Content-Type', $str))
>> return true;
>>
>> if (eregi('multipart/mixed', $str))
>> return true;
>>
>> if (eregi('bcc:', $str))
>> return true;
>>
>> return false;
>> }
>>
>> Probably isn't sufficient, but the "Content-Type" and "multipart" stuff
>> is
>> dangerous.
>
> This was discussed here just a few days ago:
> http://groups.google.co.uk/group/comp.lang.php/browse_thread/thread/689f9ef1
> 5372dfc1/7da226ecec244dea
>
> Generally it's better to check that the submitted data conforms to a
> *valid*
> pattern than to check it against specific *invalid* patterns. Among other
> things, your routine won't detect any linefeeds, which provide a simple
> means of inserting additional headers (and even body content) into an
> email.
>
> So for example, if you think a valid "Subject" should consist of between 1
> and 200 characters with ASCII codes of 32 or more (i.e. no control
> characters), then *don't accept anything else*.
>
> You should also make sure your script cannot be affected by user input
> that
> contains, for example, quotation marks or HTML tags. For example, suppose
> your error routine consists of something like this:
>
> <?
> :
> :
> $subject = $_GET["subject"];
> if (!isValid($subject))
> die("<P>Sorry, but \"$subject\" is not a valid subject string.</P>");
> :
> :
> ?>
>
> If you haven't checked that $subject contains no HTML tags, then the
> hacker
> can insert whatever he likes into your HTML, such as a link to some other
> website, or piece of Javascript that redirects the page automatically.
> That
> would be a serious problem if the page was part of an online banking site
> (Google for "phishing" if you can't figure out why).
>
> --
> phil [dot] ronan @ virgin [dot] net
> http://vzone.virgin.net/phil.ronan/
>
Navigation:
[Reply to this message]
|