[ic] RegEx Comparison
Peter
peter at pajamian.dhs.org
Sat Oct 10 09:14:00 UTC 2020
On 10/10/20 2:39 am, mihai at airdelights.com wrote:
> Hello,
>
> The following piece of code is supposed to compare the response message from an HTTP GET request to a value obtained from the previous webpage, using the CGI tag.
>
> 'res_msg' : variable which holds the response message
> 'order' : variable which holds the order number from the previous page
>
> [if scratch res_msg =~ /[cgi order]/]
> [warnings message="Tracking email for [cgi order] successfully resent"]
> [/if]
In addition to what Mark already said, this is a very bad idea. You're
introducing a code injection vulnerability here. Consider:
http://www.example.com/cgi-bin/mycart/mypage.html?order=%28%3F%7B%20code%20%7D%29
(note: code can be replaced above with any perl code).
I would recommend that you at least filter the cgi order variable to
remove non-numeric or non-alphanumeric chars, or find another way to
process it that doesn't end up interpreting what's inside a cgi variable
by the perl regex parser.
Peter
More information about the interchange-users
mailing list