Jorge Aldo G. de F. Junior wrote:
I believe that you already know that, but thats why i asked if others
are considering the security risk involved in filenames.
For evidence sake look at this old IIS bug :
http://www.hackingspirits.com/eth-hac/papers/iis_uni.html
Morale : Filenames can be nasty and filename checking functions tend
to be complex...
The security risk there isn't in the filename per se, but in what it's
passed to. You can safely put most characters in a filename, but the
result of that must be checked before being passed to a unix shell, to
IIS, to ShellExecuteEx() (or whatever the name of the Windows function
is) and so on: that's why Perl has the "tainted" concept that allows
anything injected by a user to be tracked and treated as potentially
hostile.
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
