That works. Basically you need to untaint the value you were passed after making sure it is valid. Checking it against a hash of valid values will do the trick, or as this site does, looking it up in a database.

Make sure that you use the correct filename portion of the URL (stip off arguments, add the absolute path if needed, etc.) when you do the validation.

It also might make some sense to not have a subroutine to open the filehandle, but rather just get the filename from the validator and have a standard block of code open it.

-ben

I wouldn't even trust a regex to 'take out the ..' either as you could probably just do /etc/passwd instead. Yes, you could also regex off ^/ as well, but you'll be doing stuff like that as long as that script exists.

Also consider using pathinfo or a mod_perl handler because it looks a little nicer :)

www.ourintranet.com/index.pl?node=Announcements

----------------------------------------------------------------------
+---------------
#index.pl

$node = $ARGV[0];

blah blah blah;

----------------------------------------------------------------------
+---------------
[download]

Yes, it is passed as @ARGV for a CGI script such as that (that's probably run like CGI script, though the server might need configuration to do that). However, you are probably better off using the CGI module (or, maybe, a similar module) to parse it, because the string is not in an immediately usable format, and the CGI module knows how to extract the stuff you want. (Don't reinvent the wheel!)