Just another Perl shrine | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
BTW the hard coded < provides no protection. Beside the obvious fact that we only read from the file - not print to it consider $filename = 'ls; cd /; rm -rf *' You can satisfy the < easily with say ls then add a ; then go for your life.... The keys for security are 1) hard code the path; 2) untaint the filename so it can only contain m/^[A-Za-z._-]+\z/ which stops the old ../../../etc/passwd Setting taint mode with the -T flag will catch a lot of errors. Don't CGI without it. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print In reply to Re: Re: Re: file download security
by tachyon
|
|