Syntactic Confectionery Delight | |
PerlMonks |
RE: Tarball Cleanerby KM (Priest) |
on May 23, 2000 at 08:05 UTC ( [id://14334]=note: print w/replies, xml ) | Need Help?? |
You may want to consider adding some checks in here to make sure this can't be exploited. This should use -T and the incomming arguments should be laundered (see Untaint.pm, and perlsec). By laundering the incomming arg, you can make sure that the incomming file has a .tar/.gz extention, and ends there. You wouldn't want someone passing an arg of 'foo.tar.gz; echo <badness> > trojan' or 'foo.tar.gz; rm -rf ./' I know it isn't a CGI, but making it somewhat safe is a good idea. Just a thought.
Cheers,
In Section
Code Catacombs
|
|