by Simon Hayes, Linux.com
Friday July 27th, 2001
Finding, Using and Decoding CGI Data
In this first article in this series we looked at the HTTP transaction that
is the key to understanding how data is passed around with the World Wide Web.
We took a quick look at the mechanism of CGI: A gateway interface between a
web server and an external program that accepts, processes and returns data
the server then sends back to the client. We also looked at getting set up to
program Perl CGI and the basic ways to send data back to a client.
So, you can send output from a CGI process to the server (and therefore the
client), but to go further you need to know how to find and decode client
supplied data within your script; you need to be able to figure out what the
client is saying.
When it spawns the Perl process the web server puts all information into
environmental variables, except in the case of a POST request where the server
feeds some of the information (name/value pairs from your HTML form) into the
STDIN handle. More on that in a moment, but first lets look at environmental
variables.
Getting Environmental Data from the Script
Perl can access environmental data about its own process by looking in a
special array called %ENV (think environment). Hash arrays in
Perl are keyed by name, rather than number, and are indicated with the % sign.
You can find the names of the elements (also called values) of a hash array by
using the keys operator, if you don't know them already.
Perl fills the %ENV hash with the values of most of the header
lines from the HTTP transaction. The hash also holds any other values your
particular server might think are important, like the server's name or the
name of your operating system. To get the value of a single element of a hash
you evaluate the hash as a scalar and indicate the name of the element you
want. For instance, to get the value of the HOST HTTP header you could print
it:
print $ENV{'HTTP_HOST'};
or assign it to a variable:
$remote_host = $ENV{'HTTP_HOST'};
Don't assume the names of these values, the server can assign any name it
pleases. It's true that there is a great deal of standardization across
servers in this - for instance most headers that come from the clients have HTTP_
prepended to their names. It would be a seriously buggy server that altered
the names of the most important values for CGI, but it's not something you'd
want to leave unchecked if your script is behaving oddly.
Exploring your Environment
One of the first things you'll want to do is output a record of all the values
in
%ENV for your particular server. The following small CGI
script prints every name and value from a given
%ENV hash.
#!/usr/bin/perl
print_head("Variables", 200, "OK");
foreach $name (keys %ENV) {
print "the value of ", $name, " is ", $ENV{$name}, "<br>
";
}
print "</body></html>
";
exit;
The
foreach keyword loops through an array and assigns the next
value to the scalar indicated, in this case
$name. The keys
function returns an array consisting of the key values from the hash
%ENV.
For ease of reference the following chart shows the values of most of the
environmental variables you will see in a typical client to web server
transaction. However, you should always run your own tests to be sure what
information you have available.
SCRIPT_NAMESERVER_NAMESERVER_SOFTWAREREMOTE_ADDR SERVER_PROTOCOLREQUEST_METHOD
HTTP_USER_AGENTQUERY_STRING PATH
HTTP_ACCEPTHTTP_CACHE_CONTROLHTTP_X_FORWARDED_FOR SERVER_PORTHTTP_HOST
| Environmental Variable |
Value Meaning |
Example |
| The name and path to your script from the web root. |
/scripts/myscript.cgi |
| Sometimes set to the domain of your server. |
www.mydomain.com |
| The name and version of your server software. |
MyServer/2.4 |
| The IP number of the client making the request. |
207.240.80.129 |
| The version of HTTP the server is using. |
HTTP/1.0 |
| The method used by the client. |
GET |
| The identification of the client software, computability and
version. |
Mozilla/2.0 (compatible; MyBrowser/1.0) |
| The user supplied name/value pairs from your form. |
title=midsummer+night%27s+dream&author=shakespeare |
| The system paths of your script's process (where it searches for
required libraries) |
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin |
| The MIME content-types the client can accept. |
text/html, image/jpeg, image/gif |
| An HTTP 1.1 header set by the Squid Caching. |
max-age=259200 |
| Identification of the Squid |
152.67.177.122 |
| The port your server is monitoring for HTTP requests. |
80 |
| Identification of your server. |
www.myserver.com |
For a complete list of all possible HTTP headers (which you might see in
your environmental variables, depending on your server) consult the HTTP
documentation.
If you need to convert IP numbers to domain names or vica versa there are a
number of tools you can use. nslookup is included in many operating systems
(including Linux) to query a domain name server. On Linux simply type:
%nslookup mydomainnameoripnumber
You can also look at the output of the ping tool for this information.
Finding and Decoding User Data
When a client makes a request of a web server it supplies data from the
key/value pairs you specify in your HTML form. For instance, when you create a
field in a form and name that field "title", and the user fills out
that field with the value "midsummer", the key value sent is
title=midsummer.
If multiple key/value pairs are sent, they are divided by the
&
character.
If the request method is GET then these key/value pairs are appended to the
URL and the server passes them to the CGI script in the QUERY_STRING
environmental variable. If the request method is POST the client includes the
key/value pairs in the body of its request, and the server passes those values
along to the script by feeding them in a data stream to STDIN of the script's
process. In this case the server also sets CONTENT_LENGTH to be
the length in bytes of that data.
You can find out which method the client requested by looking at the value
of the REQUEST_METHOD environmental variable.
In the following Perl code we create a scalar called $form_data
and fill it with the encoded query string depending on the request method.
if ($ENV{'REQUEST_METHOD'} eq "GET") {
$form_data = $ENV{'QUERY_STRING'};
} elsif ($ENV{'REQUEST_METHOD' eq "POST") {
read(STDIN, $form_data, $ENV{'CONTENT_LENGTH'} or print_head("error", 500, "Read failed $!");
} else {
print_head("error", 300, "Client is using unsupported method");
}
In this case we have extended our if/else construct with
elsif. (Watchout,
there is no
e in
elsif!) Since the environmental
variables we are checking here are text strings, we ask
if,
"is it true that the
REQUEST_METHOD equals GET?". If
they had been numbers, we would have used
== to make the same
test.
If the request method is POST we use a Perl read command and
the length (in bytes) of the data in order to fill the scalar $form_data
with exactly that many bytes from the STDIN file handle. If neither method is
found, or if the read fails, we return an error and abort our script.
Next, we'll want to create our own array containing this query string, by
splitting it on the & character which divides the name/value
pairs:
@PAIRS = split (/&/, $form_data);
The split function returns sub-strings from a longer string by splitting the
target string on a pattern you specify in a regular expression. Split discards
the character it matched. For instance, if our
$form_data scalar
had contained the string:
title=midsummer&author=shakespeare&results=10
then our
@PAIRS array would contain 3 items:
title=midsummer,
author=shakespeare and
results=10.
Decoding Data
The client encodes the query string that contains the name/values pairs of
user-supplied data. Our next task will be to decode that data and create our own
hash to contain it.
The data is encoded because the GET method appends key/value pairs to URLs.
In order to support this method a client must make sure that nothing in that
data is a character that is not allowed in an URL, or else the entire mechanism
of the world wide web would grind to a smoldering halt. URLs must be represented
in US_ASCII plain text, so any characters that do not appear in that
specification, or that otherwise have special meanings in URLs are encoded
according to the content-type declaration of the enctype attribute to the form
tag. The default encoding type is application/x-www-form-urlencoded.
This content type demands that any other characters but the basic 24 upper and
lower case letters, digits and the characters $ - _ . and + are represented by a
three character string beginning with a % sign and followed by the hexadecimal
notation of the number for that character in the US_ASCII font table. Spaces and
multiple spaces are translated into a single + sy! mbol .
You can read more about URLs and how they are encoded in RFC 1738 at http://www.rfc-editor.org.
Understanding Hexadecimal Notation
To count in hexadecimal you need a method of notation for counting using base
16, rather than base 10. If you look at how to represent numbers using digits
in base ten, you start counting at 0 and you indicating digits in the first
column of the notation, when you reach ten you indicate a single digit in the
second column and start over from 0 again in the first column.
| Zero |
0 |
| One |
1 |
| Two |
2 |
| Three |
3 |
| Four |
4 |
| Five |
5 |
| Six |
6 |
| Seven |
7 |
| Eight |
8 |
| Nine |
9 |
| Ten |
1 0 |
| Eleven |
1 1 |
The base of a number is what you count up to before you indicate a digit in
the second column. Trouble is we only have 0-9 for digits as our language is
based on base 10 numbering (maybe because we have ten fingers). So when we're
counting in base 16 we use the letters a-f as notation for the remaining
digits we need. The number eleven, for example, would be written as B.
Counting to seventeen in Base 16 looks like this:
| Zero |
0 |
| One |
1 |
| Two |
2 |
| Three |
3 |
| Four |
4 |
| Five |
5 |
| Six |
6 |
| Seven |
7 |
| Eight |
8 |
| Nine |
9 |
| Ten |
A |
| Eleven |
B |
| Twelve |
C |
| Thirteen |
D |
| Fourteen |
E |
| Fifteen |
F |
| Sixteen |
1 0 |
| Seventeen |
1 1 |
To find the hexadecimal notation for a given number you find the closest
even product of 16 and then indicate the remainder using the table above. For
instance, 72 divided by 16 is 4, or 62, which leaves a remainder of 10. To
write 72 in hexadecimal notation you would write 4A, "four sixteens and
ten remainder". Likewise to indicate the number 255 in hexadecimal you
would write FF, as 15 sixteen are 240, so there are 15 sixteen's in the first
column, which leaves a remainder of 15 in the first column.
For instance, if your form contains a field called title and the user enters
"midsummer night's dream" the query string sent by the client using application/www-urlencoded
is:
title=midsummer+night%27s+dream.
Perl can quickly translate all the + characters back to spaces with a simple
translate operator tr:
$scalar =~ tr/+/ /;
It's difficult to see, but there's a space between those second slashes. Perl
can translate the hexadecimal codes these back for you in a single line:
$pair =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
We still remember how we first felt when we first saw this line. No, you don't
really need to understand it, and this statement will probably be the most
mathematically complex line of Perl your will ever use in the vast majority of
scripts. Just type it in and go, as millions of people have gone before you.
Now that we have decoded the query string, all that remains to do is break
our @PAIRS array up into names and values indexed into a hash,
which we will do with a simple foreach loop.
foreach $pair (@PAIRS) {
($name, $value) = split /=/, $pair;
$F{$name} = $value;
}
Now we can access our user data by the name of the HTML form field. For example,
if our form contained an input variable called "title" we could get
the value of that element in our script by looking for the value of the $F{"title"}
assignment. You can see the complete subroutine at the end of this section, but
first a word about security.
$pair =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
Here's how it works for the curious. Often, the best way to decipher complex
statements like this is to pick them apart from the inside out. It's really
just one big fat regular expression of the substitution form: s///. The s
tells Perl to substitute what comes in between the first slash pair with what
comes between the second. The =~ assignment operator says to apply this
substitution to whatever is in the $value and then fill the $value
with the result.
To decipher this, look at what's between the first slashes, which is what
Perl is looking for in the pattern: %[a-fA-F0-9][a-fA-F0-9]. A
simple text match. Perl scans the line for any series of characters that
begins with a % sign and two other characters. A range of possible matches
defines those two other characters, which is what the [] brackets indicate.
The two other characters can either be a lower case letter between a and f, an
upper case letter in the same range, or a digit between 0 and 9. This matches
the text notation of a hexadecimal number used by the URL encoding scheme.
In between the second slashes is what Perl substitutes in the value when it
finds a match. The special variable $1 is always set to whatever
was matched between the brackets ( ) of the first pattern, and the hex
operator converts that hexadecimal notation back to a regular decimal number.
That number then becomes the argument of the pack command. In this case pack
basically looks up that number in the ASCII table and returns the appropriate
US_ASCII character. The e on the end is a modifier to the entire regular
expression which forces Perl to evaluate the right hand side (the replacement
text) as a Perl expression (so the pack and hex functions get executed), while
the g modifier instructs Perl to make this match as many times as it can in
the target value, and not stop after the first time.
There. You can do this!
Security
Don't ignore security for CGI scripts -- it's so easy to make scripts secure,
while the danger of not doing so is very real. CGI scripts allow anybody on the
Internet to run a program on your machine, and to send input to that program. If
a malicious user sends input to your program and your program passes that
information to the operating environment (by passing user data to the shell or
another program) your CGI script could be used to do almost anything. If nobody
has hit your scripts with these kinds of attacks yet, then you are relying only
on the safety of numbers.
The situation is made more onerous due to the fact that Linux (Unix) shells
allow easy ways to combine commands, and Perl makes it almost trivial to send
commands to other programs.
Security in CGI is a simple matter of checking user input for characters that
have special meaning in shell commands and being careful when passing user input
to external programs.
The characters that have a special meaning are:
& ` ' " | * ? ~ > < ^ ( ) { } [ ] $
The space character is not dangerous.
Testing for Insecure Characters
This line causes our script to abort if the user supplies data that contains
any of the those characters:
if ($value =~ /[&`'\"|*?~><^(){}[]$
]/) {
print_head("die", 500, "Bad Data");
}
Some of these shell meta characters are also meta characters for regular
expressions, so we escape those in our match with the mark. We include this
test after we have decoded the user input (as it cannot match these characters
when they are represented in hexadecimal form) and after we have divided our
query string into names and values (as the & symbol is used in the CGI
protocol, which is arguably a bug, believe it or not).
Of course, logic indicates you could test for these characters only when you
were about to pass user data out of your script, rather than testing every user
supplied value as we do. Our style is a teeny, tiny bit slower, but it's
complete, and we'd rather not pit our wits against the imagination of every
possible hacker in the world, nor do we want to have to remember all this
security stuff every time we talk to the shell or an external program. You may
have particular needs for some of these characters to be supplied by your user,
and may choose to delete them from the check. That's OK, so long as you are
aware of what you are doing, and why.
Testing for Secure Characters
Some CGI programmers argue that testing for legal data is more secure than
testing for bad data. What characters you choose to define as legal are up to
you, but take a breath before your define an insecure character as legal!
Our users should have no reason to send the script anything other than the
regular 24 upper and lower case characters of the English alphabet, the digits
0-9, tabs, a dash or the @ symbol (for their email address). We test for good
data this way:
if ($form_data !~ /^[a-zA-Z0-9 -@]+$/) {
print_head("die", 500, "bad data");
}
The symbol stands for tab. The expression is preceded by the ^
modifier, which tells Perl to start from the beginning of the string, and is
terminated by + (which tells Perl to match one or more of the items
in the range) and the $ symbol, which indicates the end of the
string to Perl.
It's a good idea to read more about security. One of the best places to start
is http://www.w3.org/Security/Faq/www-security-faq.html, the WWW
Security FAQ by Lincoln D. Stein, one of the true masters of the web.
Using Taint Mode
For the truly paranoid Perl contains a built in tool called '"Taint"
which reports errors if your script passes unsecured data out of the Perl
process. You run your script in taint mode using the -T flag, either from the
command line or on the shebang line. In taint mode Perl treats all data coming
from without the process as suspect. The only way to untaint the data is to
use a regular expression to match the string you are looking for within that
data. Thus, taint mode is only as good as your ability to write a regular
expression that matches secure strings. For that reason we find taint to be
overkill and not much useful for the majority of CGI programmers, though of
course others would disagree.
The complete user decoding and security check subroutine
Our complete subroutine looks like this
sub get_user_data {
my ($name, $value, $form_data, @PAIRS);
if ($ENV{'REQUEST_METHOD'} eq "GET") {
$form_data = $ENV{'QUERY_STRING'};
} elsif ($ENV{'REQUEST_METHOD' eq "POST") {
read(STDIN, $form_data, $ENV{'CONTENT_LENGTH'}
or print_head("error", 500, "Read failed $!");
} else {
print_head("error", 300, "Client is using unsupported method");
}
$form_data =~ tr/+/ /;
$form_data =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
@PAIRS = split (/&/, $form_data);
foreach $pair (@PAIRS) {
if ($value =~ /[&`'\"|*?~><^(){}[]$
]/) {
print_head("die", 500, "Bad Data"); }
($name, $value) = split /=/, $pair;
$F{$name} = $value;
}
}
To use it with CGI scripts that require form input, we simply call it at the
start of our script
#!/usr/bin/perl
&get_user_data;
Conclusion
In this second article we have taken a close look at exactly how to safely get
at the data a client is sending to a server from within your script (or from
without it). All CGI scripts get data, manipulate it in some way and then send
results back to the client. In the first article in this series we looked at
that HTTP transaction itself and we also explored ways to send data back to the
client. In this article we looked at how to retrieve data. In subsequent
articles we may explore some of the things you can do with that data "in
the middle", things like shopping cart systems, online databases and
utilities of that sort.
About the author: SA Hayes is a writer, editor and tinkerer living in
Northern California, for which he is grateful. When not working on computers
Hayes spends his days building things and his nights driving away raccoons.
