Perl Monk, Perl Meditation | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
Fastolfe: you need to check for failure on your regex. Currently, if it fails and if there was a value already in $1, it will be passed to $secure. That could be disastrous. If a cracker gets your code and figures out how to pass "../../../bin/some_executable" into the previous backreference, you're back to the original problem.
Also, if the filename has a period delimited extension (and many of them do), your regex won't work (e.g. "somefile.txt").
Cheers, Update: I'm a moron. Fastolfe is right. Read dchetlin's response below. (sniff, sniff) That's what I get for reading his code too fast :( Join the Perlmonks Setiathome Group or just go the the link and check out our stats. In reply to (Ovid - Duking it out over security) RE(3): Warning our Fellow Monks
by Ovid
|
|