Skip Menu |

This queue is for tickets about the CGI-Simple CPAN distribution.

Report information
The Basics
Id: 62616
Status: resolved
Priority: 0/
Queue: CGI-Simple

People
Owner: Nobody in particular
Requestors: sflex [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 1.112
Fixed in: (no value)



Subject: $NO_NULL security issue
The filter used to remove null bytes will only remove null byte "\000". Perl also interprets a null byte as "\0", "\00" and with the filter url_decode(); the null byte "%00" gets decoded. The setting $NO_NULL can be hacked. An example: my $value = "Test 1-\011-\n\n" . "Test 2-\015\012-\n\n"; # safe stuff $value .= "Test 3-\0-\00-\000-%00-\n\n"; # add-in Null Bytes # send variable $value to CGI::Simple for parsing #$value = CGI::Simple::url_decode($value); # used to decode "%00" print $value;
On Mon Nov 01 08:13:32 2010, SFLEX wrote: Show quoted text
> The filter used to remove null bytes will only remove null
byte "\000". Show quoted text
> Perl also interprets a null byte as "\0", "\00" and with the filter > url_decode(); the null byte "%00" gets decoded. The setting $NO_NULL > can be hacked. > > An example: > my $value = "Test 1-\011-\n\n" . "Test 2-\015\012-\n\n"; # safe stuff > $value .= "Test 3-\0-\00-\000-%00-\n\n"; # add-in Null Bytes > # send variable $value to CGI::Simple for parsing > #$value = CGI::Simple::url_decode($value); # used to decode "%00" > print $value; >
The problem I was having was my own error!