Ah, thinking around the problem: that's more like it!
What would you recommend I use to untaint the data in a portable way? I would expect to miss a lot of cases if I used a regular expression to do the job; that was why I tried to use a file test in the first place. My intention is not to be "too" restrictive in how my module is used (though the specification is not that clearly defined yet i.e. I'm making it up as I go ;-)).
Cheers, -- Dave :-)
$q=[split+qr,,,q,~swmi,.$,],+s.$.Em~w^,,.,s,.,$&&$$q[pos],eg,print
| [reply] |
my $filename= $param =~ m#^(\w[-.\w]*)\z#
or die "Invalid file name ($param).\n";
which allows for plenty of choice in naming the file but doesn't allow anything unsafe to be used. If this is a situation where you want to allow full paths and don't have any worries about the use of "..", then you can do:
my $filepath= $param =~ m#^((?:/?[.\w][-.\w]*)+)\z#
or die "Invalid file path ($param).\n";
Or be more portable by using File::Spec to split the $param into components and untaint each:
#!/usr/bin/perl -w
use strict;
use File::Spec::Functions qw( splitpath splitdir catdir catpath );
for my $path ( @ARGV ) {
eval {
warn "($path) => (", untaintPath( $path ), ")\n";
1;
} or
warn "$@\n";
}
exit( 0 );
sub untaintPath {
my( $param )= @_;
my( $vol, $dirs, $file )= splitpath( $param );
## my( $clean )= $file =~ m#^(\w[-.\w]*)\z#
my( $clean )= $file =~ m#^(\w[-.\w]*|)\z#
or die "Invalid file name ($file) in path ($param).\n";
$file= $clean;
my @dirs= splitdir( $dirs );
for my $dir ( @dirs ) {
##( $clean )= $dir =~ m#^([.\w][-.\w]*|)\z#
( $clean )= $dir =~ m#^(\w[-\w]*|)\z#
or die "Invalid dir name ($dir) in path ($param).\n";
$dir= $clean;
}
$dirs= catdir( @dirs );
if( "" eq $dirs && "" eq $file ) {
die "Empty dir/file in path ($param).\n";
}
return catpath( $vol, $dirs, $file );
}
*shrug*
- tye | [reply]
[d/l]
[select] |
since you are just worried about the open's syntax which is already standardized accross platforms write your regex and case for that...
-Waswas
| [reply] |