[ale] OT - looking for some guidance with a perl script

Jerry Z. Yu z.yu at voicecom.com
Tue Apr 22 09:05:08 EDT 2003


	if that is the case, u might want to generate a master access list 
of your own, provide a drop-down of some sort, and more importantly, validate 
the user/browser input with your own master list.  From what I did before, 
the user's entry selection is mapped to an index number, which is in turn 
validated against the range of the master list.


On Tue, 22 Apr 2003, Jim Lynch wrote:

#Hi, Jason,
#
#I didn't bother to say, I'm a real novice at Apache.  I didn't know that
#was an option plus I only want the web page to look at specific types of
#files, not all of them.  I'll look at it, however.
#
#Thanks for the tip.
#
#Jim.
#
#Jason Day wrote:
#> 
#> On Mon, Apr 21, 2003 at 08:27:00AM -0400, F. Grant Robertson wrote:
#> > A regexp would probably be good enough..
#> >
#> > $path =~ s/..\///sg;
#> 
#> The problem with this kind of approach is that it won't catch any
#> escaped or unicode-formatted input.  Such as:
#>   %2E%2E%2F
#> which translates to "../" without the quotes.
#> 
#> Jim, I think what you are trying to do is inherently very dangerous, and
#> will be very difficult to secure.  Controlling and/or validating user
#> input is extremely tricky.  There are exploits posted almost daily on
#> bugtraq in systems that don't validate user input properly, resulting in
#> a remote (sometimes root) compromise.
#> 
#> Why not just enable directory browsing in your web server?
#> 
#> Jason
#_______________________________________________
#Ale mailing list
#Ale at ale.org
#http://www.ale.org/mailman/listinfo/ale
#

Jerry Z. Yu				+1-404-487-8544 (O)
systems engineer			z.yu at voicecom.com
is support, voicecom, llc		www.voicecom.com

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list