Thank you for bringing this to my attention. If I ever store passwords somewhere, I will make sure to keep them out of the $collections_dir. I would probably put them in some deep dark corner of my directory structure with a name that does not look anything like the word 'password' and use something more secure than a plain text file.
I could also add / and . to the encode entities to make sure that the string that the cgi param returns will not recurse. Adding those would make your string return the following.
../../../../..
+/../../home/aleena/passwords
I will give that serious thought. Again, thank you.
Update: Forward slashes will be html encoded.
my $collection = $cgi->param('collection') ? encode_entities($cg
+i->param('collection'),'/<>"') : undef;
My OS is Debian 10 (Buster); my perl versions are 5.28.1 local and 5.8.8 on web host.
Version control is a non-issue, I do not use it.
No matter how hysterical I get, my problems are not time sensitive. So, relax, have a cookie, and a very nice day!
Lady Aleena
|