[ale] OT - looking for some guidance with a perl script

Jim Lynch jwl at sgi.com
Tue Apr 22 08:55:50 EDT 2003


Hi, Jason,

I didn't bother to say, I'm a real novice at Apache.  I didn't know that
was an option plus I only want the web page to look at specific types of
files, not all of them.  I'll look at it, however.

Thanks for the tip.

Jim.

Jason Day wrote:
> 
> On Mon, Apr 21, 2003 at 08:27:00AM -0400, F. Grant Robertson wrote:
> > A regexp would probably be good enough..
> >
> > $path =~ s/..\///sg;
> 
> The problem with this kind of approach is that it won't catch any
> escaped or unicode-formatted input.  Such as:
>   %2E%2E%2F
> which translates to "../" without the quotes.
> 
> Jim, I think what you are trying to do is inherently very dangerous, and
> will be very difficult to secure.  Controlling and/or validating user
> input is extremely tricky.  There are exploits posted almost daily on
> bugtraq in systems that don't validate user input properly, resulting in
> a remote (sometimes root) compromise.
> 
> Why not just enable directory browsing in your web server?
> 
> Jason
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list