Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: Controlling Inputted Paths in a CGI Script

by hatter (Pilgrim)
on Oct 31, 2001 at 19:10 UTC ( #122350=note: print w/ replies, xml ) Need Help??


in reply to Controlling Inputted Paths in a CGI Script

I think the general rule with anything is to explicitly permit what you think is acceptable, rather than deny what you can think of that shouldn't be there. So, if you think the path should containt letters and shouldn't contain % or $ then don't use ^%$ but instead look for a-z0-9. That'll not only stop people putting in NT variables, but also disallow all sorts of weird character escape methods.

From what you've already said, you can assume your environment is fairly sanely set up, so maybe specify that the first character after a directory separator is alphanumeric, which will stop people using blah/. blah/../ blah/.somethingsomeonehid/ etc

There are probably lots of other examples of things your environment wouldn't have, so to begin with, put in something exceedingly restrictive like /([0-9a-z -]+\\)*[a-z0-9 -]+/i then come up with several real, acceptable paths and make sure they'd work. If not, loosen your definition by as little as possible to permit them to work.

the hatter


Comment on Re: Controlling Inputted Paths in a CGI Script
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://122350]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (9)
As of 2014-09-18 07:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (108 votes), past polls