Re: Untaint IP address/hostname question

Replies are listed 'Best First'.
Re: Re: Untaint IP address/hostname question by hsinclai (Deacon) on Mar 08, 2004 at 23:40 UTC
Not sure that regex above works all that well as an untainter:)... it allows: `999.000.999.000` as an IP address and look what it does to the legal domain name `neonutt.firstpart-secondpart.co.uk` Just for your IP addresses (not for your domain names), maybe something like this regex gets closer to what you need? `/((\d \| [01]?\d\d \| 2[0-4]\d \| 25[0-5] )\.){3}(\d \| [01]?\d\d \| 2[0-4] +\d \| 25[0-5] )/` [download] Do people really test for the binary representation of the address too? I haven't seen it that often... but, then again, I dont' get out often. -hsinclai	[reply] [d/l] [select]
Re: Re: Re: Untaint IP address/hostname question by ambrus (Abbot) on Mar 10, 2004 at 20:27 UTC
Not sure that regex above works all that well as an untainter:)... it allows: 999.000.999.000 I disagree. See Re: Untaint IP address/hostname question.	[reply]
Re: Re: Re: Re: Untaint IP address/hostname question by hsinclai (Deacon) on Mar 11, 2004 at 13:46 UTC
If you mean the next program down the line should finally decide whether the IP address is valid, I disagree. In this situation this regexp should deal with the lower level checking of the basic address validity. 999.000.999.000 is not a valid IP address. Otherwise you're allowing garbage input further down the chain of execution, while you bask in your cerebral interpretation of the definition of "taint" :) you'll have to check what characters that program accepts. What program that deals with IP addresses will accept "999.000.999.000" as valid? Do you mean we have drop everything, and go check with that program first?	[reply]


No such thing as a small change
	PerlMonks