[ale] OT - looking for some guidance with a perl script

Dylan Northrup docx at io.com
Mon Apr 21 09:06:24 EDT 2003


Jim Lynch wrote:

>I've written a simple gci perl script to recurse a directory tree
>starting at a certain point.  It outputs an html document with links to
>all the files in this directory if the user clicks on a directory link,
>it'll go to that directory and display all the file in that directory. 
>If the user clicks on a file, the contents of the file are displayed. 
>The parameter passed to the cgi script gives the path, e. g.
>"http://localhost/cgi-bin/ls.cgi?path=/src/cmd".  The actual path that
>is displayed is prepended with a "root" starting point.
>
>What I'm trying to figure out is how to prevent someone from getting to
>all the files on the system by adding /.. to the path or something else
>more devious.  Now I could crack the path and look for a .. element or I
>could store all the possible paths in a database an use a key to access
>them.  I'm not sure there might not still be a security problem with the
>first option and the second option seems to be overkill, besides,
>displaying the path will be beneficial to the user.
>
>I'm looking for suggestions.  Too bad chroot is limited to super user. 
>Is there a package out there that would take a path and return its
>absolute path?  That'd work, but I haven't seen any on cpan.
>  
>
At a previous job, one of grad students wrote something that did this.  
His solution (and it seemed reasonable at the time) was to do the following:

$path =~ s#/[^/]/\.\./#/#g;
$path =~ s/\.\.//g;

The first line gets rid of '..' and whatever directory preceeded it. The 
second gets rid of any '..' that may have been at the beginning of the 
path (and therefore didn't get matched by the first RE substitution).

Hope this helps.

-- 
Dylan Northrup <*> docx at io.com <*> http://www.io.com/~docx/
"Easy to bitch, easy to whine, easy to moan, easy to cry, easy to feel 
 like there ain't nothing in your life. Harder to work, harder to 
 strive, hard to be glad to be alive, but it's really worth it if you 
 give it a try."  -- Cowboy Mouth, 'Easy'



_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list