[ale] OT - looking for some guidance with a perl script
Jim Lynch
jwl at sgi.com
Tue Apr 22 08:55:50 EDT 2003
Hi, Jason,
I didn't bother to say, I'm a real novice at Apache. I didn't know that
was an option plus I only want the web page to look at specific types of
files, not all of them. I'll look at it, however.
Thanks for the tip.
Jim.
Jason Day wrote:
>
> On Mon, Apr 21, 2003 at 08:27:00AM -0400, F. Grant Robertson wrote:
> > A regexp would probably be good enough..
> >
> > $path =~ s/..\///sg;
>
> The problem with this kind of approach is that it won't catch any
> escaped or unicode-formatted input. Such as:
> %2E%2E%2F
> which translates to "../" without the quotes.
>
> Jim, I think what you are trying to do is inherently very dangerous, and
> will be very difficult to secure. Controlling and/or validating user
> input is extremely tricky. There are exploits posted almost daily on
> bugtraq in systems that don't validate user input properly, resulting in
> a remote (sometimes root) compromise.
>
> Why not just enable directory browsing in your web server?
>
> Jason
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list