Home/ Questions/Q 6796221
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T18:26:28+00:00

I have a question about Perl from the script below. If the input for

  • 0

I have a question about Perl from the script below. If the input for the $user variable is joeshmo; ls -l;, perl will only print out joeshmo if the line print $user is coded. My intuition tells me that all of joeshmo; ls -l; should be printed. However, if the user variable is given to finger to be executed, both joeshmo and ls -l are executed. I ask this because I am trying to limit the input that is allowed to the variable $user with a statement like 

if (($user !~ /^[a-z_A-Z0-9]+[-+%]*[a-z_A-Z0-9]+$/)){
die "The entered user name uses characters not of the alphanumeric form or the \"-\", \"+\", or \"%\"!";
}
else{

In the above statement I believe that the only input that will not cause the program to die are statements with alphanumeric characters and an underscore followed by -, +, % characters (if any are desired) and then another round of alphanumeric characters and an underscore. However, regular expression only evaluates the first part of the $user variable and not the entire thing as is the case with the in put joeshmo; ls -l;. The regular expression is only evaluated on joeshmo.

Another interesting piece of information that I do not understand is why the semicolons do not show up when the $user variable is printed? If they were, I could just search for those, but they are not printed and thus they are not able to be evaluated on a regular expression.

I would appreciate any help on these matters!

#!/usr/bin/perl

use CGI;
use CGI::Carp qw(fatalsToBrowser);
$q = new CGI;

print $q->header,
    $q->start_html('Finger User'),
    $q->h1('Finger User');
print "<pre>\n";

$user = $q->param("user");
print "\n";
print $user;
print "\n\n";

if (($user !~ /^[a-z_A-Z0-9]+[-+%]*[a-z_A-Z0-9]+$/)){
die "The entered user name uses characters not of the alphanumeric form or the \"-\", \"+\", or \"%\"!";
}
else{
print `/usr/bin/finger -s $user`;
}

print "</pre>";
print $q->end_html;
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I don’t think you’re ls -l is getting into $user at all. If it was, then your regex, which would be better written as $user !~ /^\w+[-+%]*\w+$/, would match and your die would be executed. I’m guessing that you’re calling this script as

    /cgi-bin/something.pl?user=joeshmo; ls -l;

    Some implementations allow a semicolon (;) to be used as a separator in query strings so that above would be (with some server implementations) equivalent to:

    /cgi-bin/something.pl?user=joeshmo& ls -l&

    and so, the ls -l part would not be considered part of user. Try URL encoding the semicolons and the spaces:

    /cgi-bin/something.pl?user=joeshmo%3B%20ls%20-l%3B

    and then you should see your ls -l and trigger the die.

    The reason that ; is sometimes allowed as a separator is that & is also used by HTML for encoding entities, so, any ampersands that appear in an HTML attribute should be encoded as &amp; or you’re risking confusion; for example, this will often misbehave:

    <a href="http://example.com?a=b&reg=c">

    but this won’t:

    <a href="http://example.com?a=b&amp;reg=c">

    In the HTML4 spec, the W3 recommends:

    […] that HTTP server implementors, and in particular, CGI implementors support the use of “;” in place of “&” to save authors the trouble of escaping “&” characters in this manner.

    • 0