-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sjat_private wrote: > I think some filtering after the line '$q = new CGI;' would help a little > > Eg. > > my $SECMSG = 'Pliz dont hekk us\n"; > > if(!defined $q->param('cfg')){ die "missing cfg file\n"; } > my $xx = $q->param('cfg'); > > if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; } Eek! leaning toothpick syndrome! if ($xx =~ m"\.\. | # if match '..' anywhere, or // | # match '//' anywhere, or \./ "x) { # match './' anywhere: die $SECMSG; } Of course, as a general rule, it's better to take a leaf out of the firewall admin's book: deny everything by default, then allow only specific, known good patterns. For example, isn't this code prone to fragility in the presence of hex-encoded characters? \a -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (CYGWIN_NT-4.0) Comment: For info see http://www.gnupg.org iD8DBQE8XzoKkZawWPzItK8RAiPEAJ9ZoMw1HyHT9IQ3dHHGTPjDiZ2WawCfUop/ Wg3BBi5iR0iP81E9RPqCbdk= =IaK8 -----END PGP SIGNATURE----- -- =( Andrew Simmons PGP public key: =( http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xFCC8B4AF =( Perl, security, net- and sys- admin, Linux, NT =( http://www.zpok.demon.co.uk/cv.(doc|txt)
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 15:22:06 PST