Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Sanitizing user-provided path/filenames

by Fastolfe (Vicar)
on Feb 07, 2001 at 00:24 UTC ( #56767=note: print w/ replies, xml ) Need Help??


in reply to Is this safe??

If you really must rely on user-provided data that maps directly to path/filenames, and can't use a token system to represent the same thing, I would explicitely declare what your valid "root" directory is, and do a check like this:

use CGI ':standard'; use File::Spec 'rel2abs'; my $ROOT = "/var/myapp/docroot/"; # wherever my $user_path = param('path'); # perhaps s/^\/+// also my $absolute = rel2abs($user_path, $ROOT); if ($absolute =~ /^\Q$ROOT/) { # $absolute is probably within $ROOT, so process it if (open(INF, "< $absolute")) { # it's here, do whatever } else { # "404 not found" } } else { # ERROR - They've tried to ../ their way out }

Keep in mind, though, that this still lets them ../ their way anywhere they want under your declared $ROOT, so if you're expecting a filename to be in a certain place or under a certain hierarchy under your $ROOT, you need to do some additional checking/tokenizing to be sure that it actually does end up there. All this code does is keep the user sandboxed.

I too highly recommend reading perlsec and using taint-checking (-T) to better prepare yourself for potentially unsafe user-provided data.


Comment on Sanitizing user-provided path/filenames
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://56767]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (7)
As of 2014-07-26 17:30 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (178 votes), past polls