Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: Controlling Inputted Paths in a CGI Script

by tfrayner (Curate)
on Oct 31, 2001 at 22:40 UTC ( #122396=note: print w/replies, xml ) Need Help??

in reply to Controlling Inputted Paths in a CGI Script

You may want to check out File::Spec, which has a set of methods that may be used to sanitize a given path or filename, if I recall correctly...

Update: Having just peeked at the docs, it looks like the $convertedpath=File::Spec->abs2rel($path,$base) method might help, where $path is the path to be checked and $base is the highest level you want to allow access to within the filesystem. E.g. constructions such as $path="/allowed/../../notallowed" should return "../../notallowed" if $base=="/allowed". You can then check for a match with /^\.\./ and discard dubious paths.

Update2: Now that I stop to think about it, you could then use the converse function, File::Spec->rel2abs($convertedpath,$base) to get a properly qualified, cleaned up path ( i.e. no /../../). Note that a physical check on the filesystem is not (usually, depending on OS) done during these operations.

Update^3: In what could perhaps be viewed as irony (or perhaps just plain inconvenience), it looks like you may have to move to the Linux phase anyway to implement this idea, as it doesn't look like the File::Spec::Win32 module supports these methods (File::Spec::Unix does, of course).


Replies are listed 'Best First'.
Re: Re: Controlling Inputted Paths in a CGI Script
by Fastolfe (Vicar) on Nov 01, 2001 at 05:13 UTC

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://122396]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (3)
As of 2020-10-25 06:48 GMT
Find Nodes?
    Voting Booth?
    My favourite web site is:

    Results (249 votes). Check out past polls.