in reply to Re: Re: escaping filenames taken in via user input
in thread escaping filenames taken in via user input

the problem is I don't have access to the web server logs or configuration

so it seems that your "evil user" has more access than you do. You are only escaping .. s/\.\./\\\.\\\./g; so if I supply /etc/passwd as my input, how does your script handle it?

You probably should split the path into its components, and then decide from there what the file is.

He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.

Chady | http://chady.net/

Replies are listed 'Best First'.
Re: Re: Re: Re: escaping filenames taken in via user input
by revdiablo (Prior) on Oct 31, 2002 at 07:02 UTC

    Oops, forgot to mention an absolute pathname is appended on the front of the specified filename. I guess my sample code wasn't exactly representative of the real code. I didn't have access to it at the time I made the post, and paraphrased for the sake of brevity... I suppose next time I'll post the actual code. :)

[reply]

In Section Seekers of Perl Wisdom