in reply to Re^2: request for review: file reading security
in thread request for review: file reading security

I believe your code should look for literal periods: 

  $req =~ s/^\.\.\///;

[download]
But that's still poor, because what about: 
   blah/../../topsecretpages/page.html

[download]
or 
   ../../topsecretpages/page.html

[download]
 Update: Chady is right. I retract.



pbeckingham - typist, perishable vertebrate.

Replies are listed 'Best First'.
Re^4: request for review: file reading security
by Chady (Priest) on Sep 05, 2004 at 15:57 UTC

    His regular expression does the job well. It strips everything until the last / 

    $req = 'blah/../../topsecretpages/page.html';
$req =~ s/^.*\///;
print $req;
__END__
page.html

    [download]
    He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.
    Chady | http://chady.net/
    Are you a Linux user in Lebanon? join the Lebanese Linux User Group.
[reply]
[d/l]

In Section Seekers of Perl Wisdom