On Aug 25, 2004, at 10:59 AM, Mark Wheeler wrote:
Hi Joel,
Thanks for your input. In regards to filename, I'm assuming you are talking about the filename passed within the HTML, right? I think what I will probably do is pass an ID number to the script and then process it that way. I will still check for "../" andywhere the passed ID, as well as "/" at the beginning of the ID. You mentioned that "V is /". I"m afraid you lost me there. Can you explain?
I'm curious, I've seen the "../" thing mentioned many times over the years but I've never successfully created a script that would open a file that way. I use a "Clean Name" sub-routine (that I got from Lincoln's CGI book) just to be safe on files I want to process or return to a client;
sub clean_name {
unless ($selected_file =~/^[\w\._\-]+$/) {
print "<STRONG>$selected_file has naughty characters. Only ";
print "alphanumerics are allowed. You can't use absolute names.</STRONG>";
die "Attempt to use naughty characters";
}
return "$selected_file";
}
Still, I've tried scripts without it and they will never open a file name input from a form like:
http://site.com/server.cgi?file=../../../../../../../etc/passwd
Maybe it's because I usually append the $file to a $path or never input the right combo of "../" (path info) but I've never seen it work. Can someone actually show me a cgi script example that does this? It seems to me that the file permissions for "etc/passwd" should prevent this from working in the first place.
Kindest Regards,
Bill Stephenson
