http://qs321.pair.com?node_id=763180


in reply to Simple Path Cleanup

What you will need to do to avoid an unsafe file or path name will depend on what sorts of file names you are expecting, and what areas you consider safe. If your filenames are simple, just requiring that they match ^\w+$ should be OK. If they can contain more characters than that, you will need something more complicated, but the basic things are to exclude / and make sure your filename isn't all dots.

That's likely to be easier than trying to safely open a pathname and then make sure it is safe.

Also, consider using taint mode in your script. That would require you to sanitize filenames before opening them, halting your program if you forgot. It's a good safety net for any program manipulating the filesystem on behalf of Internet users.

Hope this helps! by assuming the directory is safe and then figuring out where you really are in the filesystem to make sure it's not what you expect.