Re: CGI security: Escape newlines.

Fred Cohen (fc@all.net)
Tue, 6 Feb 1996 06:51:46 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave Andersen: "Re: CGI security: Escape newlines."
Previous message: Robert S. Muhlestein: "Re: CGI security: Escape newlines."
In reply to: Jennifer Myers: "CGI security: Escape newlines."
Next in thread: Dave Andersen: "Re: CGI security: Escape newlines."

...
> That document recommends removing or escaping the following characters
> in user-supplied data before passing it to a shell:
>
>         ;<>*|`&$!#()[]{}:'"/
>
> There is (at least) one character missing from this list: the new line
> character.  I have never seen the new line character included in a list
> of metacharaters to filter.
...

In my opinion, this is exactly the wrong way to go about providing
adequate security.  If you are going to limit syntax as a method for
preventing abuse, you should not be eliminating symbols that are known
to be dangerous, but rather retaining symbols that are known to be safe.
Try retaining ONLY the desired symbols and eliminating all else - and
more generally - allow only what must be allowed and by default,
disallow all else.

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Next message: Dave Andersen: "Re: CGI security: Escape newlines."
Previous message: Robert S. Muhlestein: "Re: CGI security: Escape newlines."
In reply to: Jennifer Myers: "CGI security: Escape newlines."
Next in thread: Dave Andersen: "Re: CGI security: Escape newlines."