Dr. Trigon wrote: >> I would check that xslt is only composed by alphanumeric >> characters* and do something like "/home/drtrigon/xslt/" + xslt + >> ".xslt" (this ensures there's no ../ and doesn't contain \0) > > I considered this solution, since it sounded to be very easy. BUT the > check for alphanum does exclude all files with '-' or '_'. Thus I > decided to use my proposal.
Heh, you could have added - and _ to the list of allowed characters (that's why I pointed out *what* I wanted to protect from). > As far as I can see this does protect from '../' and '\0' in the > path of the xslt file also - but please correct > me if I am wrong here (and you have a scenario where this breaks down). Spelling out the list of allowed values is always safer, but it is bothersome (I see you listed the folder instead). _______________________________________________ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette