[Tutor] Untainting CGI parameters

Jan Eden lists at janeden.org
Thu Aug 11 09:21:35 CEST 2005

Hi Kent, hi Alan,

Kent Johnson wrote on 10.08.2005:

>OK, I don't know much Perl but I don't think these two snippets do
>the same thing. For one thing the regexes are different, second in
>the Python you need to check if the match succeeds.
>>my $type = ($parameters{type} && ($parameters{type} =~ /^(\w+)$/)) ?
>>$1 : 'page';

Ok, you got me - the regexes were indeed not identical, and only the Perl code included a check if the match was successful.

Alan G wrote on 10.08.2005:

>>I would like to untaint all parameters with which my CGI script is
>>called. Example:
>Can you explain 'untaint'??? Not a term I'm familiar with...

"Untainting" CGI parameters is derived from Perl's taint mode - turning on this mode makes Perl assume that all input coming from the user of a script is probably evil and needs to be hand-checked before using it for anything outside the script itself (e.g. calling external programs, removing files, sending mail etc.)
>>if parameters.has_key('type'): match = re.search('\w+',
>>parameters['type'].value) type = match.group() else: type = 'page'
>I Python "it's better to ask forgiveness than permission" so...
>try: type = re.search('\w+', parameters['type'].value).group() except
>KeyError: type = 'page'
Thank you - that wraps up two lines in one, just as I intended to. I tried it before but most have mixed up something when calling the group() method on the object returned by the search method immediately.

I will combine Kent's and your suggestion, because he included a check for an AttributeError:

    type = re.search('\w+', parameters['type'].value).group() except
except KeyError, AttributeError:
    type = 'page'

Thank you both,

Remember: use logout to logout.

More information about the Tutor mailing list