Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Sanitizing user-provided path/filenames

by Fastolfe (Vicar)
on Feb 07, 2001 at 00:24 UTC ( #56767=note: print w/replies, xml ) Need Help??


in reply to Is this safe??

If you really must rely on user-provided data that maps directly to path/filenames, and can't use a token system to represent the same thing, I would explicitely declare what your valid "root" directory is, and do a check like this:

use CGI ':standard'; use File::Spec 'rel2abs'; my $ROOT = "/var/myapp/docroot/"; # wherever my $user_path = param('path'); # perhaps s/^\/+// also my $absolute = rel2abs($user_path, $ROOT); if ($absolute =~ /^\Q$ROOT/) { # $absolute is probably within $ROOT, so process it if (open(INF, "< $absolute")) { # it's here, do whatever } else { # "404 not found" } } else { # ERROR - They've tried to ../ their way out }

Keep in mind, though, that this still lets them ../ their way anywhere they want under your declared $ROOT, so if you're expecting a filename to be in a certain place or under a certain hierarchy under your $ROOT, you need to do some additional checking/tokenizing to be sure that it actually does end up there. All this code does is keep the user sandboxed.

I too highly recommend reading perlsec and using taint-checking (-T) to better prepare yourself for potentially unsafe user-provided data.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://56767]
help
Chatterbox?
[Petroza]: Hey there, I'm new here. I tried to post a question under ''Seekers of Perl Wisdom'' and when I tried to create it An Error appeared stating that I don't have permissions to post there. Do I need some sort of an Authorization?
[LanX]: no try again
[choroba]: Didn't you forget to add a title? Did you include links to the post?
[LanX]: choroba IIRC these errors are indicated
[1nickt]: Missing title suppresses the submit button, I think.
[1nickt]: Petroza to answer your question, no, no special permission is needed to post a question.
[LanX]: did you spam before? :)
LanX has to go/
[ambrus]: I hope we didn't mess up the spam filter rules again.
[ambrus]: Our spam filter rules disallow links to certain domains, and some suspicious pharses that have appeared in previous spam advertising cheap online whatevers.

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (7)
As of 2017-10-17 15:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My fridge is mostly full of:

















    Results (233 votes). Check out past polls.

    Notices?