in reply to Re^2: Why aren't these equivalent?
in thread Why aren't these equivalent?

PLEASE COME BACK HERE don't, please, run CGIs without -T. As holli said below, someone will pass you "/etc/passwd" as a parameter and you will be hosed. you can unlink the file IIRC if you check it against a regex, like this: 
unlink $1 if $fileName =~ /^(\.\.\/\.\.\/20\d{6}\.txt)$/;

[download]
_without_ having to run it insecurely. as a plus, it will only remove the remove-able files.
[]s, HTH, Massa

Replies are listed 'Best First'.
Re^4: Why aren't these equivalent?
by Anonymous Monk on Jul 14, 2008 at 19:06 UTC
    Thank you for the advice, massa. I'm using the strict pattern matching that you suggested, modified for my specific application. There are other measures that would have to be defeated before someone could access this page, but I'll keep the taint checking too!

    It was very kind and generous of holli to offer to hack my site, but not necessary, thanks.

[reply]

In Section Seekers of Perl Wisdom