CGIUTL - Incorrect Query Decode - A-Shell Forum

Register Log In A-Shell Network Forums Program Development CGIUTL - Incorrect Query Decode

Print Thread

CGIUTL - Incorrect Query Decode #31334 30 Jul 19 01:37 PM
Joined: Jun 2001 Posts: 11,945 Woodland Hills, CA J Jack McGregor OP Member
OP Jack McGregor Member J Joined: Jun 2001 Posts: 11,945 Woodland Hills, CA	Tom - I reposted this/your message because it appears to me your original got buried with the old BBS just before the cutover - Jack I've got an odd query string that is intended to include a the following: Code post_note=<pdfnote>test</pdfnote> Which correctly encoded is: Code post_note=%3Cpdfnote%3Etest%3C%2Fpdfnote%3E I'm passing the entire query string through CGIOP_GETPARARY, and everything is being correctly decoded apart from the second "<" in fact, any "<" after the first is being decoded as "[" instead. Code query'str = "post_note=%3Cpdfnote%3Etest%3C%2Fpdfnote%3E" xcall cgiutl, CGIOP_GETPARARY, status, $params(), query'str ? $params("post_note") Code <pdfnote>test[/pdfnote> I can't see any issues with the string itself, or the way in which it's being processed. This is using 6.4.1557.5. Thanks, Tom

Re: CGIUTL - Incorrect Query Decode [Re: Jack McGregor] #31335 30 Jul 19 02:02 PM
Joined: Jun 2001 Posts: 11,945 Woodland Hills, CA J Jack McGregor OP Member
OP Jack McGregor Member J Joined: Jun 2001 Posts: 11,945 Woodland Hills, CA	It appears that the conversion of < (after the first one) to [ was a deliberate defensive move to guard against malicious HTML injection. Whether that's an appropriate defense, or whether a defense is even needed here, is an open question. Since the result is being passed to the application directly, perhaps we should just assume the application had set the magic "trust me" bit and would take over responsibility for worrying about stuff like this?

Re: CGIUTL - Incorrect Query Decode [Re: Jack McGregor] #31338 30 Jul 19 05:27 PM
Joined: Jun 2001 Posts: 11,945 Woodland Hills, CA J Jack McGregor OP Member
OP Jack McGregor Member J Joined: Jun 2001 Posts: 11,945 Woodland Hills, CA	After further reflection on this, I decided that it wasn't CGIUTL's place to protect you from HTML injection hacks, at least not in this particular case (where the result is being passed back to the application rather than the browser). It might be worth further discussion for the operations that do output directly to the browser. But for the moment, I've posted beta patches that remove that dubious feature... ash64notes.txt ash-6.4.1558.8-w32-upd.zip ash-6.4.1558.8-w32c-upd.zip ash-6.4.1558.8-el5-upd.tz ash-6.4.1558.8-el7-upd.tz It'll also be in the 6.4.1664.2 patch which addresses an unrelated 6.5 change and may be posted elsewhere on this forum later tonight or tomorrow. Alternatively, you could just convert all the "[" characters back to "<" (assuming that those characters won't otherwise occur on their own in your queries.) (As a bonus this would give you an excuse to familiarize yourself with the somewhat obscure but highly useful XSTRIP.SBR.)

Re: CGIUTL - Incorrect Query Decode [Re: Jack McGregor] #31341 31 Jul 19 01:45 AM
Joined: Jun 2001 Posts: 153 England O OmniLedger - Tom Reynolds Member
OmniLedger - Tom Reynolds Member O Joined: Jun 2001 Posts: 153 England	Thanks Jack, we'd actually been making that assumption already, and had some injection protection in place in various parts of the system. I'd not actually come across XSTRIP before, so will be sure to dip into that one, much appreciated!

Moderated by Jack McGregor, Ty Griffin

Powered by UBB.threads™ PHP Forum Software 7.7.3