Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

Re: Controlling Inputted Paths in a CGI Script

by hatter (Pilgrim)
on Oct 31, 2001 at 19:10 UTC ( #122350=note: print w/replies, xml ) Need Help??

in reply to Controlling Inputted Paths in a CGI Script

I think the general rule with anything is to explicitly permit what you think is acceptable, rather than deny what you can think of that shouldn't be there. So, if you think the path should containt letters and shouldn't contain % or $ then don't use ^%$ but instead look for a-z0-9. That'll not only stop people putting in NT variables, but also disallow all sorts of weird character escape methods.

From what you've already said, you can assume your environment is fairly sanely set up, so maybe specify that the first character after a directory separator is alphanumeric, which will stop people using blah/. blah/../ blah/.somethingsomeonehid/ etc

There are probably lots of other examples of things your environment wouldn't have, so to begin with, put in something exceedingly restrictive like /([0-9a-z -]+\\)*[a-z0-9 -]+/i then come up with several real, acceptable paths and make sure they'd work. If not, loosen your definition by as little as possible to permit them to work.

the hatter

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://122350]
erix counts their toes
[erix]: DBD::Pg 3.6.1 test has 'die;' then dies and fails wtf... (just below connect_database()

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (7)
As of 2017-05-23 08:33 GMT
Find Nodes?
    Voting Booth?