At 06:02 PM 6/6/01 -0700, Kristina wrote:
>Hi. I'm trying to get a better handle on writing to files and checking
>input better before I do. :) My question is, if I arbitrarily decide that
>I will not allow any filenames that have non-word characters in them, and
>if I have the directory path to these files set in the script itself as
>in:
Hi Kristina,
Before covering what you did specifically below, allow me to
suggest that you check documentation for references to "taint"ed variables
and particularly the -T switch.
>my $directory = '/path/to/some/directory';
>
>If I then go:
>
>my $filename = $query->param('Filename');
>$filename =~ s/\W+//g;
>$filename =~ /(\w+)/;
>$filename = $1;
The last two lines aren't necessary. You know that the next to last line
will match the whole string if any.
>and
>
>if($filename eq ""){ die("No valid characters in filename");}
>
>Is it safe to assume that if I don't "die", then "$directory/$filename"
>will A) not have any non-word characters
Yes.
>and B) will be a file in
>$directory
Well you didn't include any code that would actually create the file.
>and C) will be more or less safe in terms of someone being able
>to make me write to "../../../etc" or do similar weird things? This seems
>kind of too simplistic to be safe, and I'm wondering what obvious thing(s)
>I'm missing.
You're safe from things like that. You can't get '.', '/' or '~' so it
will be pretty hard to mess with your directory space.
> I'm mainly concerned about getting a filename from the form,
>and making it so I can use it without messing up things outside
>"$directory".
I think you're pretty safe with what you sent, but looking over taint stuff
will probably help too. Good luck! :-)
Cheers,
Jeff
