There's more than one way to do things | |
PerlMonks |
Re: security issues with an index.pl-type thing...by DrZaius (Monk) |
on Jun 18, 2001 at 18:36 UTC ( [id://89306]=note: print w/replies, xml ) | Need Help?? |
Yes, this is the way to do it. You'd be surprised the number of sites you can compromise because you can do things like index.pl?template=../../../../passwd.
I wouldn't even trust a regex to 'take out the ..' either as you could probably just do /etc/passwd instead. Yes, you could also regex off ^/ as well, but you'll be doing stuff like that as long as that script exists. Also consider using pathinfo or a mod_perl handler because it looks a little nicer :)
In Section
Seekers of Perl Wisdom
|
|