Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

RE: CGI Security and the null byte problem

by extremely (Priest)
on Oct 26, 2000 at 10:39 UTC ( #38560=note: print w/ replies, xml ) Need Help??


in reply to CGI Security and the null byte problem

You left out a simple example or two on how to specify what you will allow. So, Allow me =)

my $file = $cgi->param( 'file' ); my $data; # # One way # $file =~ s#[^A-Z0-9a-z.]+##g; #strip down to alphanum and period # can change the meaning of what people post. $file =~ m#(.*)#; #evil evil evil if you haven't striped. $data = $1 || ""; #not really necessary to have alternate, nice tho. # # Alternate way # $file =~ m#([A-Z0-9a-z.]+)#; #grab first good chunk. # can potentially ignore a lot of data and boggle the user $data = $1 | ""; #you really want this now, match can fail. # # My "best" way # die "Eeeek! Evil data sent to the 'file' parameter!\n" if ($file =~ m#[^A-Z0-9a-z.]#); #now use the first method above to detaint anyway...

--
$you = new YOU;
honk() if $you->love(perl)


Comment on RE: CGI Security and the null byte problem
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://38560]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (7)
As of 2015-07-29 04:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (260 votes), past polls