in reply to Tarball Cleaner
You may want to consider adding some checks in here to make sure this can't be exploited. This should use -T and the incomming arguments should be laundered (see Untaint.pm, and perlsec). By laundering the incomming arg, you can make sure that the incomming file has a .tar/.gz extention, and ends there. You wouldn't want someone passing an arg of 'foo.tar.gz; echo <badness> > trojan' or 'foo.tar.gz; rm -rf ./'
I know it isn't a CGI, but making it somewhat safe is a good idea.
I know it isn't a CGI, but making it somewhat safe is a good idea.
Just a thought.
Cheers,
KM
|
---|
In Section
Code Catacombs