comment on

That works. Basically you need to untaint the value you were passed after making sure it is valid. Checking it against a hash of valid values will do the trick, or as this site does, looking it up in a database.

Make sure that you use the correct filename portion of the URL (stip off arguments, add the absolute path if needed, etc.) when you do the validation.

It also might make some sense to not have a subroutine to open the filehandle, but rather just get the filename from the validator and have a standard block of code open it.

-ben

In reply to Re: security issues with an index.pl-type thing... by knobunc
in thread security issues with an index.pl-type thing... by derek3000

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


good chemistry is complicated, and a little bit messy -LW
	PerlMonks