[Top] [Prev] [Next] [Bottom]
[Contents]
Tutorial 5: Using Sapphire to Improve Form Security
You should not allow user input to go directly to a CGI or server application. Rather, you should screen the input first, so that only the commands you want to allow can be executed. You will use the function SaSafeExecArg to fix the project from tutorial 4.
- 5. From the
Activators list in the Project Window, select the manform.html<FORM>FormAction activator.
- 6. Click the
Object Bind Editor (Selected Activator) icon to edit this activator (Fig. 3-1).
- 7. Notice that the value of the
title argument is: SaGetInputValue("title")
- 8. Change the value of the
title argument by clicking in the far left corner of the text field, then type: SaSafeExecArg(
- 9. Click on the right-most part of the text field and type: )
- 10. The value in the text field should now be:
SaSafeExecArg(SaGetInputValue("title"))
- Note: You may have to make the Object Bind Editor window wider to see all of the text entered into the text field.
- 11. Click
Ok. Save and Test the project.
- 12. When your browser again displays index.html, click the
Man Page anchor.
- 13. Enter
ls; cat /etc/passwd in the text field and click Submit.
- 14. Look at the bottom of the next page that comes into your browser. You will see that it does not contain the contents of your password file.
SaSafeExecArg makes a string "safe." It will escape with a backslash any ;, <, >, or | characters, so that the CGI will interpret them literally, and not as UNIX shell commands.
You can also fix this security hole by changing the definition of the Executable Data Object. If you change the command line parameter to
#title,wrap#
the CGI will put single quotes around the title argument. This prevents the ; from being interpreted as a UNIX shell command.
[Top] [Prev] [Next] [Bottom]
[Contents]
info@bluestone.com
Copyright © 1997, Bluestone. All rights
reserved.