You are viewing a plain text version of this content. The canonical link for it is here.

Posted to embperl@perl.apache.org by Gerald Richter <ri...@ecos.de> on 2000/05/02 08:45:03 UTC

Security Fixes

Hi,

I just have commited a two fixes for possible security problems to the
Embperl CVS, which Dirk Lutzebaeck pointed out.

   - New $escmode (or EMBPERL_ESCMODE) to disable the possiblilty
     to turn off escaping with a leading backslash. Adding 4 to
     any escmode will cause Embperl to do no special processing
     on the backslash. This is mainly to avoid problems with
     cross site scripting issuse, where people are able to enter
     aribtary HTML.
   - Characters between 128 and 159 are all HTML escaped now to
     avoid problems with buggy browser, which were reported to
     treat the chars 139 and 141 as < and >.

The default for escmode is still 3, which means insecure in this context. I
have left it at this value, to not break existing scripts, but from a
security point of view, it would be better to make the default 7, in which
case the HTML escaping could not be disabled by a leading backslash.

Any comments?

Gerald

-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925151
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------