We don't bite newbies here... much | |
PerlMonks |
Re: Re: Re: file download securityby tachyon (Chancellor) |
on Apr 16, 2002 at 14:01 UTC ( [id://159484]=note: print w/replies, xml ) | Need Help?? |
BTW the hard coded < provides no protection. Beside the obvious fact that we only read from the file - not print to it consider $filename = 'ls; cd /; rm -rf *' You can satisfy the < easily with say ls then add a ; then go for your life.... The keys for security are 1) hard code the path; 2) untaint the filename so it can only contain m/^[A-Za-z._-]+\z/ which stops the old ../../../etc/passwd Setting taint mode with the -T flag will catch a lot of errors. Don't CGI without it. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
In Section
Seekers of Perl Wisdom
|
|