--- Curtis Poe <[EMAIL PROTECTED]> wrote:
>
> You supplied some great information, however, your
> example of plugging the security hole has a
> security hole itself. From the command line on any
> *nix system, enter the following (assuming you
> are not in root):
>
> cd \.\.
>
> You quickly discover that the shell allows those
> dots to be escaped. In a url, that translates to
> something like:
Yes, the shell, but the program I was commenting
didn't use the shell. And even if it used, it would
die if there was any '\' in the input anyway. Maybe I
don't get your point, but my code:
> > die 'INSECURE $file !!!' if $file =~ /\.\./;
> > if ($file =~ /^([-\w./]+)$/) { $file = $1 }
> > else { die 'INSECURE $file !!!' }
won't pass any '\' or '%' from your examples. If
anything, it's too paranoidal, it won't work with
files like "some..file..name", and maybe:
die 'INSECURE $file !!!' if $file =~ m{/\.\./|^\.\./};
would be better, but I still don't understand your
point, I'm sorry.
__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
