Tag Archives: QSTRING

Linux

Elaminate BACKTRACKS in PERL

Leave a comment

By bashily

I have the following code and I am trying to use mail command to send email to myself. settings on my server is setup, so I don’t need define the “FROM” address.
The main problem is if I use “-T” for tainted mode, this code won’t work. any idea how to fix it?

#!/usr/bin/perl -wT
$ENV{PATH}="/bin:/usr/bin"; # Securing the PATH
#@mail_to = split(/=/, $ENV{QUERY_STRING});
#$mail_to[1] = s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
#$mail_to[1] = tr/+/ /;
### Declare Variables ###
my $incorrectFlag = 0;

# Define REGEX pattern for email field
my %PATTERNS = (
"email" => '^(([a-zA-Z0-9_-.]+)@([a-zA-Z0-9_-.]+).([a-zA-Z]{2,5}){1,60})$'
);

# GET DATA FROM THE ENVIRONMENT VARIABLE
$qstring = $ENV{'QUERY_STRING'};

# Break data into ARRAY
@pairs = split (/&/, $qstring);

# START A LOOP TO PROCESS FORM DATA
foreach (@pairs) {

#split field name and value on ‘=’, store in two scalar variables
($key, $value) = split (/=/);
#translate ‘+’ signs back to spaces
$value =~ tr/+/ /;
#translate special character
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
#store data in hash
$form{$key} = $value;
}

######### HTML HEADER ##########
print "Content-Type:text/htmlnn";
# Check email format against the pattern
if ($form{address} !~ $PATTERNS{email})
{
print " This is a warning! You need to input a proper email address and nothing more!n";
$incorrectFlag = 1;
exit;
}
else
{
#print $form{address};
$incorrectFlag = 0;
}
'mail -s "message" $form{address} < message.txt';
print "n";
print "

n";
print "The sender is $form{address}
n";
#print "The Value of QSTRING is: $qstringn";
print "

n";

…read more
Source: FULL ARTICLE at The UNIX and Linux Forums