Come for the quick hacks, stay for the epiphanies. | |
PerlMonks |
POTENTIAL SECURITY HOLEby merlyn (Sage) |
on Jun 19, 2000 at 17:59 UTC ( [id://18791]=note: print w/replies, xml ) | Need Help?? |
No. Don't use anything that starts with HTTP_ directly in a file path.
Extract the information into an untainted variable.
This is why I recommend that all CGI programs run with -T (enabling taint mode)... to keep you from making stupid dangerous mistakes like this without deliberately trying to get around it. -- Randal L. Schwartz, Perl hacker
In Section
Seekers of Perl Wisdom
|
|