40dd8ea044842ea6d662bb3676debb3ac0a417ee hiram Sat Nov 16 15:42:30 2024 -0800 better safely limit length of all incoming strings refs #32596 diff --git src/hg/gar/asr.cgi.pl src/hg/gar/asr.cgi.pl index 375f30e..fdf908d 100755 --- src/hg/gar/asr.cgi.pl +++ src/hg/gar/asr.cgi.pl @@ -47,51 +47,55 @@ print "<body>\n"; # QUERY_STRING name=some%20name&email=some@email.com&asmId=GCF_000951035.1_Cang.pa_1.0 my %incoming = ( "name" => "noName", "email" => "noEmail", "asmId" => "noAsmId", "betterName" => "noBetterName", "comment" => "noComment", ); my $validIncoming = 0; my $extraneousArgs = 0; +# limit all to reasonable lengths +my $maxLength = 1024; + foreach my $tag ($query->param) { my $value = $query->escapeHTML(uri_unescape($query->param($tag))); # only accept known inputs, the five defined above for %incoming defaults if (defined($incoming{$tag}) && defined($value)) { - $incoming{$tag} = $value; + $incoming{$tag} = substr($value, 0, $maxLength); ++$validIncoming; } else { ++$extraneousArgs; } } if ( ($validIncoming != 5) || ($extraneousArgs > 0) || ($referDomain ne $domainMustBe) || ($httpRefer ne $httpReferMustBe) ) { # not a legitimate request from our own business, do nothing. printf STDERR "# ERROR: cgi-bin/asr invalid request %d %d %s %s\n", $validIncoming, $extraneousArgs, $referDomain, $httpRefer; printf "<p>HTTP_REFERER: %s</p>\n", $referer; printf "<p># ERROR: cgi-bin/asr invalid request %d %d %s %s</p>\n", $validIncoming, $extraneousArgs, $referDomain, $httpRefer; printf "<h3>err exit at end of asr</h3>\n"; print "</body></html>\n"; exit 0; } + printf "<ul>\n"; printf "<li> name: '%s'</li>\n", $incoming{"name"}; printf "<li>email: '%s'</li>\n", $incoming{"email"}; printf "<li>asmId: '%s'</li>\n", $incoming{"asmId"}; printf "<li>betterName: '%s'</li>\n", $incoming{"betterName"}; printf "<li>comment: '%s'</li>\n", $incoming{"comment"}; printf "</ul>\n"; my $DS=`date "+%F %T"`; chomp $DS; my $cleanEmail = $incoming{"email"}; $cleanEmail =~ s/@/ at /; $cleanEmail =~ s/\./ dot /g;