Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

Re: File Naming

by Mork29 (Scribe)
on Aug 01, 2000 at 03:05 UTC ( #25397=note: print w/replies, xml ) Need Help??

in reply to File Naming

<writes the word newbie on his forhead> Explain why? Some type of exploit for "hackers" ??

Replies are listed 'Best First'.
RE: Re: File Naming
by nardo (Friar) on Aug 01, 2000 at 05:08 UTC
    If you pass a string from a user directly to open, the person can run arbitray commands. The username ';rm nameofcgi.cgi;' for example will delete nameofcgi.cgi (on some platforms, anyways). Even if you prefix the filename with a directory, someone could use ../ to write to the directory of their choice, someone could use a \0 to prevent any appended string from being used in the filename (since the underlying C library will take the \0 to be end of string). In other words, you need to verify that the data the user has given you does not contain anything it shouldn't. You can use the -T switch (#!/usr/bin/perl -T) which will enable taint checking which will cause perl to stop when it encounters a potentially unsafe operation.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://25397]
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2023-12-05 15:41 GMT
Find Nodes?
    Voting Booth?
    What's your preferred 'use VERSION' for new CPAN modules in 2023?

    Results (27 votes). Check out past polls.