Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Sanitizing user-provided path/filenames

by Fastolfe (Vicar)
on Feb 07, 2001 at 00:24 UTC ( #56767=note: print w/ replies, xml ) Need Help??


in reply to Is this safe??

If you really must rely on user-provided data that maps directly to path/filenames, and can't use a token system to represent the same thing, I would explicitely declare what your valid "root" directory is, and do a check like this:

use CGI ':standard'; use File::Spec 'rel2abs'; my $ROOT = "/var/myapp/docroot/"; # wherever my $user_path = param('path'); # perhaps s/^\/+// also my $absolute = rel2abs($user_path, $ROOT); if ($absolute =~ /^\Q$ROOT/) { # $absolute is probably within $ROOT, so process it if (open(INF, "< $absolute")) { # it's here, do whatever } else { # "404 not found" } } else { # ERROR - They've tried to ../ their way out }

Keep in mind, though, that this still lets them ../ their way anywhere they want under your declared $ROOT, so if you're expecting a filename to be in a certain place or under a certain hierarchy under your $ROOT, you need to do some additional checking/tokenizing to be sure that it actually does end up there. All this code does is keep the user sandboxed.

I too highly recommend reading perlsec and using taint-checking (-T) to better prepare yourself for potentially unsafe user-provided data.


Comment on Sanitizing user-provided path/filenames
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://56767]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (12)
As of 2015-07-03 09:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (51 votes), past polls