[ale] OT - looking for some guidance with a perl script
Jim Lynch
jwl at sgi.com
Mon Apr 21 08:01:35 EDT 2003
I've written a simple gci perl script to recurse a directory tree
starting at a certain point. It outputs an html document with links to
all the files in this directory if the user clicks on a directory link,
it'll go to that directory and display all the file in that directory.
If the user clicks on a file, the contents of the file are displayed.
The parameter passed to the cgi script gives the path, e. g.
"http://localhost/cgi-bin/ls.cgi?path=/src/cmd". The actual path that
is displayed is prepended with a "root" starting point.
What I'm trying to figure out is how to prevent someone from getting to
all the files on the system by adding /.. to the path or something else
more devious. Now I could crack the path and look for a .. element or I
could store all the possible paths in a database an use a key to access
them. I'm not sure there might not still be a security problem with the
first option and the second option seems to be overkill, besides,
displaying the path will be beneficial to the user.
I'm looking for suggestions. Too bad chroot is limited to super user.
Is there a package out there that would take a path and return its
absolute path? That'd work, but I haven't seen any on cpan.
Thanks,
Jim.
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list