On 2004.8.26, at 04:45 AM, Bill Stephenson wrote:
On Aug 25, 2004, at 10:59 AM, Mark Wheeler wrote:
Hi Joel,
Thanks for your input. In regards to filename, I'm assuming you are talking about the filename passed within the HTML, right? I think what I will probably do is pass an ID number to the script and then process it that way. I will still check for "../" andywhere the passed ID, as well as "/" at the beginning of the ID. You mentioned that "V is /". I"m afraid you lost me there. Can you explain?
I'm curious, I've seen the "../" thing mentioned many times over the years but I've never successfully created a script that would open a file that way. I use a "Clean Name" sub-routine (that I got from Lincoln's CGI book) just to be safe on files I want to process or return to a client;
sub clean_name { unless ($selected_file =~/^[\w\._\-]+$/) {
That'll disallow some valid filename characters, particularly in Unix. But that's okay if you never use it to validate filenames that have those characters, and it side-steps a lot of picky details about trying to find all the "naughty" stuff.
print "<STRONG>$selected_file has naughty characters. Only ";
print "alphanumerics are allowed. You can't use absolute names.</STRONG>";
die "Attempt to use naughty characters";
}
return "$selected_file";
}
Still, I've tried scripts without it and they will never open a file name input from a form like:
http://site.com/server.cgi?file=../../../../../../../etc/passwd
Maybe it's because I usually append the $file to a $path
How deeply nested is the path? would be one question.
or never input the right combo of "../" (path info) but I've never seen it work. Can someone actually show me a cgi script example that does this?
From a casual examination, I would guess that the sample Mark posted should be one that would do this. (It occurs to me that he really might probably prefer not to have anything he's pumping out to the web right under root the way it looks like he's got his images directory.)
It seems to me that the file permissions for "etc/passwd" should prevent this from working in the first place.
Well, open up a terminal window and look at the permissions:
% ls -la /etc % ls -la /etc/passwd
-- Joel Rees
