[ale] OT - looking for some guidance with a perl script
Jim Lynch
jwl at sgi.com
Mon Apr 21 09:40:47 EDT 2003
OK, I guess that is it then. Thanks everyone.
Jim.
Dylan Northrup wrote:
>
> Jim Lynch wrote:
>
> >I've written a simple gci perl script to recurse a directory tree
> >starting at a certain point. It outputs an html document with links to
> >all the files in this directory if the user clicks on a directory link,
> >it'll go to that directory and display all the file in that directory.
> >If the user clicks on a file, the contents of the file are displayed.
> >The parameter passed to the cgi script gives the path, e. g.
> >"http://localhost/cgi-bin/ls.cgi?path=/src/cmd". The actual path that
> >is displayed is prepended with a "root" starting point.
> >
> >What I'm trying to figure out is how to prevent someone from getting to
> >all the files on the system by adding /.. to the path or something else
> >more devious. Now I could crack the path and look for a .. element or I
> >could store all the possible paths in a database an use a key to access
> >them. I'm not sure there might not still be a security problem with the
> >first option and the second option seems to be overkill, besides,
> >displaying the path will be beneficial to the user.
> >
> >I'm looking for suggestions. Too bad chroot is limited to super user.
> >Is there a package out there that would take a path and return its
> >absolute path? That'd work, but I haven't seen any on cpan.
> >
> >
> At a previous job, one of grad students wrote something that did this.
> His solution (and it seemed reasonable at the time) was to do the following:
>
> $path =~ s#/[^/]/\.\./#/#g;
> $path =~ s/\.\.//g;
>
> The first line gets rid of '..' and whatever directory preceeded it. The
> second gets rid of any '..' that may have been at the beginning of the
> path (and therefore didn't get matched by the first RE substitution).
>
> Hope this helps.
>
> --
> Dylan Northrup <*> docx at io.com <*> http://www.io.com/~docx/
> "Easy to bitch, easy to whine, easy to moan, easy to cry, easy to feel
> like there ain't nothing in your life. Harder to work, harder to
> strive, hard to be glad to be alive, but it's really worth it if you
> give it a try." -- Cowboy Mouth, 'Easy'
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list