[Tutor] Untainting CGI parameters
Jan Eden
lists at janeden.org
Thu Aug 11 09:21:35 CEST 2005
Hi Kent, hi Alan,
Kent Johnson wrote on 10.08.2005:
>OK, I don't know much Perl but I don't think these two snippets do
>the same thing. For one thing the regexes are different, second in
>the Python you need to check if the match succeeds.
>
>>my $type = ($parameters{type} && ($parameters{type} =~ /^(\w+)$/)) ?
>>$1 : 'page';
>>
Ok, you got me - the regexes were indeed not identical, and only the Perl code included a check if the match was successful.
Alan G wrote on 10.08.2005:
>>I would like to untaint all parameters with which my CGI script is
>>called. Example:
>
>Can you explain 'untaint'??? Not a term I'm familiar with...
"Untainting" CGI parameters is derived from Perl's taint mode - turning on this mode makes Perl assume that all input coming from the user of a script is probably evil and needs to be hand-checked before using it for anything outside the script itself (e.g. calling external programs, removing files, sending mail etc.)
>
>>if parameters.has_key('type'): match = re.search('\w+',
>>parameters['type'].value) type = match.group() else: type = 'page'
>
>I Python "it's better to ask forgiveness than permission" so...
>
>try: type = re.search('\w+', parameters['type'].value).group() except
>KeyError: type = 'page'
>
Thank you - that wraps up two lines in one, just as I intended to. I tried it before but most have mixed up something when calling the group() method on the object returned by the search method immediately.
I will combine Kent's and your suggestion, because he included a check for an AttributeError:
try:
type = re.search('\w+', parameters['type'].value).group() except
except KeyError, AttributeError:
type = 'page'
Thank you both,
Jan
--
Remember: use logout to logout.
More information about the Tutor
mailing list