Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Re: Re: Re: Problems with opendir in CGI

by tachyon (Chancellor)
on Mar 29, 2004 at 23:58 UTC ( #340797=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Problems with opendir in CGI
in thread Problems with opendir in CGI

Don't use whitespace in dir names? Seriously. Although in theory you can escape it with \\ each time you interpolate you 'lose' one level of escape. Why not make your life easy?.

BTW you need some decent error checking on the supplied path. ..\..\WINNT\cmd.exe or ..\..\etc\passwd anyone? There are all manner of variations on this theme. Have a look at the Webserver error logs for the 404 not found with .. %5d and friends. I suggest:

my $full_path = '/some/path' my $cgi_path = s/\W//g; my $safe_path = "$full_path/$cgi_path";

ie only allow the final part of the path to be passed so you can remove anything non alphanumeric. If you need more path to be passed pass it as alphanumeric fragments and build the path safely. You ARE NOT SAFE trying to remove ../ as there are 101 ways to express this ie the %5D hacks that even complex regexes will miss. You need to know exactly how the shell deals with escape chars in the path to know what will happen.



Replies are listed 'Best First'.
Re: Re: Re: Re: Problems with opendir in CGI
by ogxela (Novice) on Mar 30, 2004 at 00:03 UTC

    Interesting ... when I took out the code that added escape sequences to whitespace, everything started working!

    /me shrugs. Oh well.

    alex g.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://340797]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (4)
As of 2022-05-24 00:38 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (82 votes). Check out past polls.