On 23 Aug 2004, at 18:49, Morbus Iff wrote:
>Perhaps set the path of the image directory >into the script, hardcoded like so: > > $path = '/home/fubar/www/images'; > >or something like that so you are restricting to a certain directory, >and not just letting any file be read in by the cgi and sent to the
This isn't safe either. Someone could come along and request:
http://site.com/server.cgi?file=../../../../../../../etc/passwd
and get naughty files too. You want to make sure that you always sanitize the filename that you get in - never trust it.
Quite right. Like that. I'm sorry I was so much less clear about it: i felt like i'd been going on too long already.
best
will