comment on

Don't use whitespace in dir names? Seriously. Although in theory you can escape it with \\ each time you interpolate you 'lose' one level of escape. Why not make your life easy?.

BTW you need some decent error checking on the supplied path. ..\..\WINNT\cmd.exe or ..\..\etc\passwd anyone? There are all manner of variations on this theme. Have a look at the Webserver error logs for the 404 not found with .. %5d and friends. I suggest:

my $full_path = '/some/path'
my $cgi_path = s/\W//g;
my $safe_path = "$full_path/$cgi_path";
[download]

ie only allow the final part of the path to be passed so you can remove anything non alphanumeric. If you need more path to be passed pass it as alphanumeric fragments and build the path safely. You ARE NOT SAFE trying to remove ../ as there are 101 ways to express this ie the %5D hacks that even complex regexes will miss. You need to know exactly how the shell deals with escape chars in the path to know what will happen.

cheers

tachyon

In reply to Re: Re: Re: Problems with opendir in CGI by tachyon
in thread Problems with opendir in CGI by ogxela

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or or How to display code and escape characters are good places to start.


laziness, impatience, and hubris
	PerlMonks