>>>>> "Sean" == Sean Chittenden <[EMAIL PROTECTED]> writes:
Sean> Hey. So I just went through and was auditing someone's code today
Sean> (the joy of joys that it is) and these guys were pretty reliant on their
Sean> access, authen, authz handlers for most everything related to their site
Sean> (not too atypical, IMHO). Everything was kosher EXCEPT they _never_
Sean> tested for the '.' or '..' directories in their path. For instance:
"." as a directory name should never be a problem. I'd like to see a
case where you think it might. ".." is, as you note, a problem.
Sean> # Match ./ and /.
Sean> if ($uri =~ m:\/\.|\.\/:o) { # Overly paranoid, but acceptable, regexp
Sean> return(HTTP_NOT_ACCEPTABLE);
Sean> }
Naah, I'd go with something like this:
return HTTP_NOT_ACCEPTABLE if grep $_ eq "..", split /\//, $uri;
Then "foo..bar" is OK, as is ".foo". Of course, I reject ".ANYTHING"
in my access handler, but that's up to you. :)
Also, I noticed that "fancyindexing" uses "/foo/bar/bletch/..", so you
have to permit that unless you want a lot of errors in your errlog
when you turn fancyindexing on.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
