From: James French Date: Mon, 4 Mar 2013 07:51:58 +0000 (+0800) Subject: Input sanitisation X-Git-Tag: cgi-1.0~7 X-Git-Url: https://git.ucc.asn.au/?a=commitdiff_plain;h=b23752384d253c9c42a0ca62a64df99975e7722c;p=frenchie%2Ficalparse.git Input sanitisation - UID must be numeric - Key must be alphanumeric & 16 chars long - Fixed missing vobject import --- diff --git a/fbcal.py b/fbcal.py index ff0dc09..8068f5e 100755 --- a/fbcal.py +++ b/fbcal.py @@ -22,23 +22,33 @@ import sys import cgi +import vobject import icalparse +import re #import cgitb; cgitb.enable() -form = cgi.FieldStorage() +def exitQuiet(exitstate=0): + print('Content-Type: text/html\n') + sys.exit(exitstate) if __name__ == '__main__': + form = cgi.FieldStorage() if "uid" not in form or "key" not in form: print('Content-Type: text/html\n') sys.exit(0) try: + # UID should be numeric, if it's not we have someone playing games uid = int(form['uid'].value) - key = int(form['key'].value) except: - print('Content-Type: text/html\n') - sys.exit(0) + exitQuiet() + + # The user's key will be a 16 character alphanumeric string + key = form['key'].value + re.search('[\W_]+', key) and exitQuiet() + len(key) == 16 or exitQuiet() - url = 'http://www.facebook.com/ical/u.php?uid=%s&key=%s'%(uid,key) + # Okay, we're happy that the input is sane, lets serve up some data + url = 'http://www.facebook.com/ical/u.php?uid=%d&key=%s'%(uid,key) (content, encoding) = icalparse.getHTTPContent(url) cal = vobject.readOne(unicode(content, encoding))