[8-24-98]

[1] Fixed cart deletion problem. Bug fix submitted by Dan Berkowitz.

[6-29-98]

[1] Fixed problem with a blank line at the top of the web_store.cgi
script.

[2] Fixed HTML header and footers printing twice in the HTML search. Bug
fix submitted from Thomas Stevenson.

[3] Changed the delete carts routine to check the taint mode before the
modification time for efficiency. Submitted by Dan Berkowitz.

[4] Removed counter subroutine. Instead, unique Cart ID's are retrieved by
looking at the highest cart ID and then incrementing it.  Submitted by
Dan Berkowitz.

[6-1-98]

[1] Added a note in the main README.INSTALLATION about using different
variable names with _ followed by a letter instead of _ followed by a number to avoid confusing the web_store.cgi program.

[2] Added filtering code to make sure that the process ID does not have a -
sign in it.  Apparently it does this on Win95 systems running Perl. Reported by Ignacio Bustamante.

[5-27-98]

[1] Dan Berkowitz pointed out some other areas that could use improvement.

[a] Fixed bad_order_note so that submit button can take user back to change
quantity screen if the quantity was bad.

This fix was implemented in the bad_order_note subroutine in web_store_html_lib.pl in the Library subdirectory.

Adjusted call in web_store.cgi from modify_quantity_of_items_in_cart to submit
a different submit field name to the bad_order_note subroutine call.

[b] Moved format_text_field to main web_store.cgi code and changed the code
to be more flexible.

Code for format_text_field deleted from web_store_order_lib.pl

Also changed formatting code in web_store_html_lib.pl to use format_text
subroutine.

[2] Modified measured quantity fix based on feedback from Ignacio Bustamante.

Modified in web_store_order_lib.pl:

sub display_calculations
sub display_order_form
sub process_order_form

Reversed previous 4-18-98 fix in the web_store_html_lib.pl file.

[4-21-98]

[1] Fixed a problem with the cart id generation pointed out by Dan
Berkowitz. The taint regex was stripping off the .$$ part of the cart id
based on modifications made 4-5-98.

To fix this, I changed the . to an _ in lines 892,927 that actually
generate the cart id. I decided to do this in order to make the cart
filenames more friendly to WindowsNT machines.  Basically a cart id in the
form 83958923.38592.cart is less friendly to 358925_3243.cart where
WindowsNT/DOS systems prefer to see files as having just one extension
instead of the appearance of two.

Also, by suggestion, I changed line 148 so that the regex that matches the
cart id adds a ^ $ anchor to make sure the cart id only has word
characters and nothing else

Also added check for whether the second regular expression passed. If 
it did not, then perl never actually clears the $1 variable.  In order
to prevent the first $1 being assigned to $cart_id in a bad regex match,
the regex result is checked to see if it worked.

[4-18-98]

[1] Fixed a problem with calculating measured quantity in the 
web_store_html_lib.pl.  Problem/Fix submitted by Ignacio Bustamante.

[4-5-98]

[1] Fixed a logic error with the password checking in the 
web_store_log_analyzer script.

[2] Fixed javascript in frames javascript version so that it works
in Netscape 4.0 and IE 4.0 as well as the previous Netscape 3.0

[3] Added code to make the $page form variable more secure. The code
was added around line 119 to the web_store.cgi file and appears
below with comments.

# Modified 4-10-98 Gunther Birznieks
#
# Added code to stop snooping beyond the root store HTML
# directory
#
# The following code only allows
# word characters, - sign, + sign, = sign, / for sub
# directories in the page definition
#
# If you find yourself needing more definitions the
# regular expression below is the one you want to modify
#
# One dot is allowed for an extension. I don't allow
# periods because of ../../.. type of manipulations
#
# $1 matches the first part
# $2 matches the extension which shouldn't have
# any weird characters in it, so I just left it
# as matching \w (word characters)
$page =~ /([\w\-\=\+\/]+)\.(\w+)/;
$page = "$1.$2"; 
$page = "" if ($page eq ".");
 
$page =~ s/^\/+//; # Get rid of any residual / prefix

[3-31-98]

[1] Added -T taint checking to the header of the cgi script.  For example, 

#!/usr/local/bin/perl

becomes

#!/usr/local/bin/perl -T

Perl 4 Note: Perl 4 does not support the -T parameter. Instead, use
#!/usr/local/bin/taintperl

Taint checking basically forces the programs to validate all input that is
going to have any effect on files or system calls. 

In addition, library calls need to be explicitly named. So ./ is prefixed
in front of required libraries in the current subdirectory.

[2] Made modifications to the Web Store to support taint checking.

Anytime a filename results from input from a user such as form input,
this input needs to be validated in order to be considered safe by the
taint checking perl script.

Thus, changes have been made to validate the data using techniques
described in the perl documentation and the WWW security FAQ located at
http://www.w3.org/Security/Faq/ by Lincoln Stein

[3] Made modifications to the Mail and PGP Library
to support taint checking.

Same issues pop up here.

[4] Actual file modifications that were made follows:

[web_store.cgi]

-  Added -T flag

-  Around line 121, added the following lines to satisfy taint checking

    $cart_id =~ /(\w+)/;
    $cart_id = $1;


The code above matches only WORD characters (a-z,A-Z,0-9, underscores). The
parentheses in the regular expression assigns the match to a special
variable: $1.

Then $1 (untainted) gets assigned to $cart_id. Thus, $cart_id is no longer
tainted.

[mail-lib.pl]

Since sendmail is called as an external program from the sendmail
version of mail-lib.pl, the PATH environment variable needs to be
untainted.  This is easily done by simply blowing the path away
for the duration of the opening of the sendmail program.

Note, although I am placing an absolute path to the sendmail
program by default, I still need to do this task because Perl does
not know for sure whether I am calling a program with an 
absolute path.  For example, Perl does not know if sendmail
is a binary program on its own or maybe it is a shell script
that calls other programs WITHOUT absolute paths referenced.

Thus, taint forces us to make sure the path is safe.

Here is the code to change around line 71. It basically surrounds
the existing code that opens sendmail.

Note that the old path is preserved in case it turns out
we need it for anything in another module.

    local($old_path) = $ENV{"PATH"};
    $ENV{"PATH"} = "";

    open (MAIL, "|$mail_program") ||
        &web_error("Could Not Open Mail Program");
 
    $ENV{"PATH"} = $old_path;

[pgp-lib.pl]

I did the same basic things I did for the mail library. Sample
code appears below:

    local($old_path) = $ENV{"PATH"};
    $ENV{"PATH"} = "";
 
    open (PGPCOMMAND, "|$pgp_command");
 
    $ENV{"PATH"} = $old_path;


[web_store_log_analyzer.cgi]

- Added taint mode (-T)

- Untainted the which_log variable to make 
  sure it satisfied \w+ . \w+ regular 
  expression

  $which_log =~ /(\w+)\.(\w+)/;
  $which_log = "$1.$2";