Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Sanitizing user-provided path/filenames

by Fastolfe (Vicar)
on Feb 07, 2001 at 00:24 UTC ( [id://56767]=note: print w/replies, xml ) Need Help??


in reply to Is this safe??

If you really must rely on user-provided data that maps directly to path/filenames, and can't use a token system to represent the same thing, I would explicitely declare what your valid "root" directory is, and do a check like this:

use CGI ':standard'; use File::Spec 'rel2abs'; my $ROOT = "/var/myapp/docroot/"; # wherever my $user_path = param('path'); # perhaps s/^\/+// also my $absolute = rel2abs($user_path, $ROOT); if ($absolute =~ /^\Q$ROOT/) { # $absolute is probably within $ROOT, so process it if (open(INF, "< $absolute")) { # it's here, do whatever } else { # "404 not found" } } else { # ERROR - They've tried to ../ their way out }

Keep in mind, though, that this still lets them ../ their way anywhere they want under your declared $ROOT, so if you're expecting a filename to be in a certain place or under a certain hierarchy under your $ROOT, you need to do some additional checking/tokenizing to be sure that it actually does end up there. All this code does is keep the user sandboxed.

I too highly recommend reading perlsec and using taint-checking (-T) to better prepare yourself for potentially unsafe user-provided data.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://56767]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (4)
As of 2024-03-28 16:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found