>Perhaps set the path of the image directory
>into the script, hardcoded like so:
>
> $path = '/home/fubar/www/images';
>
>or something like that so you are restricting to a certain directory,
>and not just letting any file be read in by the cgi and sent to the
This isn't safe either. Someone could come along and request:
http://site.com/server.cgi?file=../../../../../../../etc/passwd
and get naughty files too. You want to make sure that you always
sanitize the filename that you get in - never trust it. You also
want to think about this /the other way/ - instead of thinking
"what should I filter out?", you should think "what is it that
I want to accept?". In your case, you'd probably only want
alphanumeric characters only, and a single dot (to separate
the file extension).
I've done stuff similar to:
my $images = '/home/fubar/www/images'; # where your files live.
my $incoming = $cgi->param('file'); # the file the user wants.
my $file_path = File::Spec->catfile($images, $incoming);
my ($v, $directories, $f) = File::Spec->splitpath($file_path);
my @path_parts = File::Spec->splitdir($directories);
push(@path_parts, $f); # check the file for naughties too.
return $self->error("Hi! You've attempted directory traversal. Naughty!")
if scalar File::Spec->no_upwards(@path_parts) != scalar @path_parts;
The above just checks for ".." and equivalents, however. You will
probably want to check your $incoming for naughty characters too,
just to be safe (ie., anything not a dot or an alphanumeric).
--
Morbus Iff ( you are nothing without your robot car, NOTHING! )
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
Spidering Hacks: http://amazon.com/exec/obidos/ASIN/0596005776/disobeycom
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus
