diff options
authorYorhel <>2017-12-24 22:03:05 +0100
committerYorhel <>2017-12-24 22:05:02 +0100
commit2aee6b38815548cece7bc8c47f3947a2292f9eee (patch)
parentc60723ade78b9c2145bc3b92a2ec51c4c91f2440 (diff)
TUWF::Request: Disallow ASCII control codes in urlencoded data
This only catches trivial malicious url-encoding attacks; Such control codes can still get in through multipart form data or perhaps even URLs. I'll see if I should protect against those other injection methods, too.
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/TUWF/ b/lib/TUWF/
index 394d950..f7d67b4 100644
--- a/lib/TUWF/
+++ b/lib/TUWF/
@@ -77,6 +77,9 @@ sub _parse_urlencoded {
decode_utf8($s, 1);
s/%u([0-9a-fA-F]{4})/chr hex($1)/eg;
+ # Disallow any control codes, except for x09 (tab), x0a (newline) and x0d (carriage return)
+ # The error message is a hack to trigger the 'utf8' error code.
+ die "Illegal control code (does not map to Unicode)" if /[\x00-\x08\x0b\x0c\x0e-\x1f]/;
push @{$dat{$key}}, $val;