[ale] OT - looking for some guidance with a perl script

Jason Day jasonday at worldnet.att.net
Mon Apr 21 10:19:02 EDT 2003


On Mon, Apr 21, 2003 at 08:27:00AM -0400, F. Grant Robertson wrote:
> A regexp would probably be good enough.. 
> 
> $path =~ s/..\///sg;

The problem with this kind of approach is that it won't catch any
escaped or unicode-formatted input.  Such as:
  %2E%2E%2F
which translates to "../" without the quotes.

Jim, I think what you are trying to do is inherently very dangerous, and
will be very difficult to secure.  Controlling and/or validating user
input is extremely tricky.  There are exploits posted almost daily on
bugtraq in systems that don't validate user input properly, resulting in
a remote (sometimes root) compromise.

Why not just enable directory browsing in your web server?

Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list