http://www.perlmonks.org?node_id=36310


in reply to RE: RE: Warning our Fellow Monks
in thread Warning our Fellow Monks

Fastolfe: you need to check for failure on your regex. Currently, if it fails and if there was a value already in $1, it will be passed to $secure. That could be disastrous. If a cracker gets your code and figures out how to pass "../../../bin/some_executable" into the previous backreference, you're back to the original problem.

Also, if the filename has a period delimited extension (and many of them do), your regex won't work (e.g. "somefile.txt").

Cheers,
Ovid

Update: I'm a moron. Fastolfe is right. Read dchetlin's response below. (sniff, sniff)

That's what I get for reading his code too fast :(

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

  • Comment on (Ovid - Duking it out over security) RE(3): Warning our Fellow Monks

Replies are listed 'Best First'.
RE: (Ovid - Duking it out over security) RE(3): Warning our Fellow Monks
by dchetlin (Friar) on Oct 12, 2000 at 03:16 UTC

    Here's the REx Fastolfe posted:

    ($secure) = ($tainted =~ /(\w+)/);

    I certainly agree that the success needs to be checked, as there's an open being called with $secure on the next line, but $secure will not be ending up with a previous value of $1; if the REx fails, it will simply be undefined.

    -dlc