Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re^3: request for review: file reading security

by pbeckingham (Parson)
on Sep 05, 2004 at 14:58 UTC ( [id://388615]=note: print w/replies, xml ) Need Help??


in reply to Re^2: request for review: file reading security
in thread request for review: file reading security

I believe your code should look for literal periods: 

  $req =~ s/^\.\.\///;

[download]
But that's still poor, because what about: 
   blah/../../topsecretpages/page.html

[download]
or 
   ../../topsecretpages/page.html

[download]
 Update: Chady is right. I retract.



pbeckingham - typist, perishable vertebrate.

Replies are listed 'Best First'.
Re^4: request for review: file reading security
by Chady (Priest) on Sep 05, 2004 at 15:57 UTC

    His regular expression does the job well. It strips everything until the last / 

    $req = 'blah/../../topsecretpages/page.html';
$req =~ s/^.*\///;
print $req;
__END__
page.html

    [download]
    He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.
    Chady | http://chady.net/
    Are you a Linux user in Lebanon? join the Lebanese Linux User Group.
[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://388615]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (2)
As of 2024-04-25 05:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found