Randal wrote: > >>>>> "Rob" == Rob <[EMAIL PROTECTED]> writes: > > Rob> Is there a good tutorial on untainting data received via a cgi script? > > Besides "perldoc perlsec"? >
The best way to make sure that you don't pass dangerous data to the shell is to pass no user data to the shell. There's usually a way to avoid doing so. For instance, if you need to retrieve a file for the user don't let them input the filename. Instead map numbers to the files that you want to be retrievable, and use a drop down menu that displays the available filenames, but submits the corresponding integer as the cgi parameter. Tagore Smith -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
