[ale] OT - looking for some guidance with a perl script
Jason Day
jasonday at worldnet.att.net
Mon Apr 21 10:19:02 EDT 2003
On Mon, Apr 21, 2003 at 08:27:00AM -0400, F. Grant Robertson wrote:
> A regexp would probably be good enough..
>
> $path =~ s/..\///sg;
The problem with this kind of approach is that it won't catch any
escaped or unicode-formatted input. Such as:
%2E%2E%2F
which translates to "../" without the quotes.
Jim, I think what you are trying to do is inherently very dangerous, and
will be very difficult to secure. Controlling and/or validating user
input is extremely tricky. There are exploits posted almost daily on
bugtraq in systems that don't validate user input properly, resulting in
a remote (sometimes root) compromise.
Why not just enable directory browsing in your web server?
Jason
--
Jason Day jasonday at
http://jasonday.home.att.net worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list