http://qs321.pair.com?node_id=122396


in reply to Controlling Inputted Paths in a CGI Script

You may want to check out File::Spec, which has a set of methods that may be used to sanitize a given path or filename, if I recall correctly...

Update: Having just peeked at the docs, it looks like the $convertedpath=File::Spec->abs2rel($path,$base) method might help, where $path is the path to be checked and $base is the highest level you want to allow access to within the filesystem. E.g. constructions such as $path="/allowed/../../notallowed" should return "../../notallowed" if $base=="/allowed". You can then check for a match with /^\.\./ and discard dubious paths.

Update2: Now that I stop to think about it, you could then use the converse function, File::Spec->rel2abs($convertedpath,$base) to get a properly qualified, cleaned up path ( i.e. no /../../). Note that a physical check on the filesystem is not (usually, depending on OS) done during these operations.

Update^3: In what could perhaps be viewed as irony (or perhaps just plain inconvenience), it looks like you may have to move to the Linux phase anyway to implement this idea, as it doesn't look like the File::Spec::Win32 module supports these methods (File::Spec::Unix does, of course).

HTH,
Tim

Replies are listed 'Best First'.
Re: Re: Controlling Inputted Paths in a CGI Script
by Fastolfe (Vicar) on Nov 01, 2001 at 05:13 UTC