summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2017-12-24 22:03:05 +0100
committerYorhel <git@yorhel.nl>2017-12-24 22:05:02 +0100
commit2aee6b38815548cece7bc8c47f3947a2292f9eee (patch)
treef1ec3fd438ef4b34a4833c456709937ef23b3b6b
parentc60723ade78b9c2145bc3b92a2ec51c4c91f2440 (diff)
TUWF::Request: Disallow ASCII control codes in urlencoded data
This only catches trivial malicious url-encoding attacks; Such control codes can still get in through multipart form data or perhaps even URLs. I'll see if I should protect against those other injection methods, too.
-rw-r--r--lib/TUWF/Request.pm3
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/TUWF/Request.pm b/lib/TUWF/Request.pm
index 394d950..f7d67b4 100644
--- a/lib/TUWF/Request.pm
+++ b/lib/TUWF/Request.pm
@@ -77,6 +77,9 @@ sub _parse_urlencoded {
decode_utf8($s, 1);
#eg;
s/%u([0-9a-fA-F]{4})/chr hex($1)/eg;
+ # Disallow any control codes, except for x09 (tab), x0a (newline) and x0d (carriage return)
+ # The error message is a hack to trigger the 'utf8' error code.
+ die "Illegal control code (does not map to Unicode)" if /[\x00-\x08\x0b\x0c\x0e-\x1f]/;
}
push @{$dat{$key}}, $val;
}