Well, I'm very new to mod_perl, but what I usually do in perl scripts that
are marching through files in a directory is to us "if -d $fname" which
automatically avoids . and .. plus any subdirectories. Much simpler, but
I'm not sure it handles all your requirements....
Cheers,
C
On 16 Jan 2000, Randal L. Schwartz wrote:
> >>>>> "Sean" == Sean Chittenden <[EMAIL PROTECTED]> writes:
>
> Sean> Hey. So I just went through and was auditing someone's code today
> Sean> (the joy of joys that it is) and these guys were pretty reliant on their
> Sean> access, authen, authz handlers for most everything related to their site
> Sean> (not too atypical, IMHO). Everything was kosher EXCEPT they _never_
> Sean> tested for the '.' or '..' directories in their path. For instance:
>
> "." as a directory name should never be a problem. I'd like to see a
> case where you think it might. ".." is, as you note, a problem.
>
> Sean> # Match ./ and /.
> Sean> if ($uri =~ m:\/\.|\.\/:o) { # Overly paranoid, but acceptable, regexp
> Sean> return(HTTP_NOT_ACCEPTABLE);
> Sean> }
>
> Naah, I'd go with something like this:
>
> return HTTP_NOT_ACCEPTABLE if grep $_ eq "..", split /\//, $uri;
>
> Then "foo..bar" is OK, as is ".foo". Of course, I reject ".ANYTHING"
> in my access handler, but that's up to you. :)
>
> Also, I noticed that "fancyindexing" uses "/foo/bar/bletch/..", so you
> have to permit that unless you want a lot of errors in your errlog
> when you turn fancyindexing on.
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> <[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
>
Christopher Nielsen [EMAIL PROTECTED] http://ZORINco.com
__________________________________________________________
Makers of fine microcontroller products -
ModCon Microcontroller - SPI-X10 Home Automation controller -
MIDI Gizmo - Audio Board - and other fine products and accessories
C O N T R O L Y O U R W O R L D
