Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: Accessing %ENV directly in script

by afoken (Prior)
on Dec 11, 2013 at 20:15 UTC ( #1066704=note: print w/ replies, xml ) Need Help??


in reply to Accessing %ENV directly in script

Just a minor note: Bad people often insert ".." into URLs, sometimes encoded, sometimes plain. See http://en.wikipedia.org/wiki/Directory_traversal_attack. As long as you use @paths just as a way to pass parameters to your script, this may be harmless. But as soon as you construct a filename from @paths and and a prefix, those bad people may gain access to files that were not meant to be accessible via the web. Also consider replacing backslashes with forward slashes (some people simply can't see a difference between them) (tr|\\|/|) and collapsing multiple slashes to single slashes (s|/+|/|g) before splitting.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)


Comment on Re: Accessing %ENV directly in script
Select or Download Code
Re^2: Accessing %ENV directly in script
by bangor (Beadle) on Dec 11, 2013 at 20:51 UTC
    Hi Alexander. I hadn't thought of people constructing the URL by hand (if that's what you mean) but then that's exactly what I do myself when testing. So fixing the slashes is designed to forgive errors here. I'm not too worried about rogue elements in @paths as any element in there must match exactly a key in a hardcoded hash otherwise it's ignored.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1066704]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (5)
As of 2015-07-06 02:15 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (69 votes), past polls