http://www.perlmonks.org?node_id=171790


in reply to (MeowChow) Re: -d fails outside the current working directory
in thread -d fails outside the current working directory

Thankyou!

Excuses:I did read the readdir docs, I am unfortuantely still at the stage where I get lost in the syntax and therefore don't recognise the significance of the sample code;(

Am I going to get into problems with using paths (abs or rel) when the "user defined path" is actually a relative path derived from the query parameter of an URL and the script will be running in the context of Apache?

  • Comment on Re: (MeowChow) Re: -d fails outside the current working directory

Replies are listed 'Best First'.
(MeowChow) Re3: -d fails outside the current working directory
by MeowChow (Vicar) on Jun 05, 2002 at 20:54 UTC
    There are serious security issues you need to consider if you allow users to submit their own paths, depending of course on what you're doing with those paths. For the sake of simplicity, I would recommend that you only allow alphanumerics in these path names. You can then properly untaint and scrub your path as follows: 
    my $userpath = $CGI->param('userpath');
my $basepath = "C:/wwwroot/whatever";
my $path = join '/', $basepath, $userpath =~ /\w+/g;

    [download]
    Speaking of untainting, you are using -T, right? 
       MeowChow                                   
               s aamecha.s a..a\u$&owag.print
[reply]
[d/l]

      No I'm not using -T (yet!).

      Mainly, I suspect, because I have not a clue as to what -T is?

      Currently this is way early in development -- both the script and my knowledge -- but I WILL look into it!

      Thanks for the pointer

[reply]
        -T is taint mode, used for writing secure scripts. Read all about it in perlsec. 
           MeowChow                                   
               s aamecha.s a..a\u$&owag.print
[reply]

In Section Seekers of Perl Wisdom