>Perhaps set the path of the image directory >into the script, hardcoded like so: > > $path = '/home/fubar/www/images'; > >or something like that so you are restricting to a certain directory, >and not just letting any file be read in by the cgi and sent to the
This isn't safe either. Someone could come along and request:
http://site.com/server.cgi?file=../../../../../../../etc/passwd
and get naughty files too. You want to make sure that you always sanitize the filename that you get in - never trust it. You also want to think about this /the other way/ - instead of thinking "what should I filter out?", you should think "what is it that I want to accept?". In your case, you'd probably only want alphanumeric characters only, and a single dot (to separate the file extension).
I've done stuff similar to:
my $images = '/home/fubar/www/images'; # where your files live. my $incoming = $cgi->param('file'); # the file the user wants. my $file_path = File::Spec->catfile($images, $incoming);
my ($v, $directories, $f) = File::Spec->splitpath($file_path); my @path_parts = File::Spec->splitdir($directories); push(@path_parts, $f); # check the file for naughties too. return $self->error("Hi! You've attempted directory traversal. Naughty!") if scalar File::Spec->no_upwards(@path_parts) != scalar @path_parts;
The above just checks for ".." and equivalents, however. You will probably want to check your $incoming for naughty characters too, just to be safe (ie., anything not a dot or an alphanumeric).
-- Morbus Iff ( you are nothing without your robot car, NOTHING! ) Culture: http://www.disobey.com/ and http://www.gamegrene.com/ Spidering Hacks: http://amazon.com/exec/obidos/ASIN/0596005776/disobeycom icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus