in reply to Re: Untaint IP address/hostname question
in thread Untaint IP address/hostname question

Not sure that regex above works all that well as an untainter:)... it allows:

999.000.999.000

as an IP address and look what it does to the legal domain name neonutt.firstpart-secondpart.co.uk

Just for your IP addresses (not for your domain names), maybe something like this regex gets closer to what you need? 


/((\d | [01]?\d\d | 2[0-4]\d | 25[0-5] )\.){3}(\d | [01]?\d\d | 2[0-4]
+\d | 25[0-5] )/

[download]

Do people really test for the binary representation of the address too? I haven't seen it that often... but, then again, I dont' get out often.

-hsinclai

Replies are listed 'Best First'.
Re: Re: Re: Untaint IP address/hostname question
by ambrus (Abbot) on Mar 10, 2004 at 20:27 UTC
[reply]
      If you mean the next program down the line should finally decide whether the IP address is valid, I disagree.

      In this situation this regexp should deal with the lower level checking of the basic address validity. 999.000.999.000 is not a valid IP address. Otherwise you're allowing garbage input further down the chain of execution, while you bask in your cerebral interpretation of the definition of "taint" :)


      you'll have to check what characters that program accepts.

      What program that deals with IP addresses will accept "999.000.999.000" as valid? Do you mean we have drop everything, and go check with that program first?
[reply]

In Section Seekers of Perl Wisdom