Come for the quick hacks, stay for the epiphanies. | |
PerlMonks |
(tye)Re: CGI OO 'param' vs. hashby tye (Sage) |
on Jul 10, 2001 at 01:34 UTC ( [id://95173]=note: print w/replies, xml ) | Need Help?? |
No, you don't need a shell for nul bytes to be a security problem. Lots of C APIs won't handle nul bytes. For example: open( X, "> test\0me.txt" ) will succeed and will create a file called simply "test". And if you want to send something to a shell, you need to decide what characters to allow, rather than what characters to not allow. /(\w[-\w.]*)/ is a good, generic starting point. - tye (but my friends call me "Tye")
In Section
Seekers of Perl Wisdom
|
|