diff options
author | Yorhel <git@yorhel.nl> | 2017-12-24 22:03:05 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2017-12-24 22:05:02 +0100 |
commit | 2aee6b38815548cece7bc8c47f3947a2292f9eee (patch) | |
tree | f1ec3fd438ef4b34a4833c456709937ef23b3b6b | |
parent | c60723ade78b9c2145bc3b92a2ec51c4c91f2440 (diff) |
TUWF::Request: Disallow ASCII control codes in urlencoded data
This only catches trivial malicious url-encoding attacks; Such control
codes can still get in through multipart form data or perhaps even URLs.
I'll see if I should protect against those other injection methods, too.
-rw-r--r-- | lib/TUWF/Request.pm | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/TUWF/Request.pm b/lib/TUWF/Request.pm index 394d950..f7d67b4 100644 --- a/lib/TUWF/Request.pm +++ b/lib/TUWF/Request.pm @@ -77,6 +77,9 @@ sub _parse_urlencoded { decode_utf8($s, 1); #eg; s/%u([0-9a-fA-F]{4})/chr hex($1)/eg; + # Disallow any control codes, except for x09 (tab), x0a (newline) and x0d (carriage return) + # The error message is a hack to trigger the 'utf8' error code. + die "Illegal control code (does not map to Unicode)" if /[\x00-\x08\x0b\x0c\x0e-\x1f]/; } push @{$dat{$key}}, $val; } |