Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re^5: Getting information about a remote file via SSH: how to escape the filename

by Happy-the-monk (Monsignor)
on Jun 27, 2013 at 17:55 UTC ( #1041062=note: print w/ replies, xml ) Need Help??


in reply to Re^4: Getting information about a remote file via SSH: how to escape the filename
in thread Getting information about a remote file via SSH: how to escape the filename

How can you discern a valid filename from a malicious one in a generic way?

The OP has pointed out in his case, malicious file names would be unlikely,
I found that most of the time there was quite the possibility to narrow down the range of allowed characters to minimum of less than 70, excluding most interpunctuation characters.and shell redirects and pipes, control characters and whitespace.

But it is very good you mentioned it, as in a current project I find myself in a less fortunate position where I have to grok file names coming in through user input:
the users are real users and the file system a windows ntfs in my particular case.

Suggestions on how to stay safe are very welcome.

Cheers, Sören

(hooked on the Perl Programming language)


Comment on Re^5: Getting information about a remote file via SSH: how to escape the filename
Re^6: Getting information about a remote file via SSH: how to escape the filename
by salva (Monsignor) on Jun 28, 2013 at 08:13 UTC
    Suggestions on how to stay safe are very welcome

    Avoid the shell as much as you can (i.e. using system $cmd, @args instead of system "$cms @args").

    Otherwise, quote your data properly. For instance, for POSIX shells I use the following sub to quote commands and arguments:

    my $glob_class = '*?\\[\\],{}:!^~'; sub quote { shift; my $quoted = join '', map { ( m|\A'\z| ? "\\'" : m|\A'| ? "\"$_\"" : m|\A[$noquote_class]+\z|o ? $_ : "'$_'" ) } split /('+)/, $_[0]; length $quoted ? $quoted : "''"; }

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1041062]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (6)
As of 2014-09-21 01:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (165 votes), past polls