Return-Path: Delivered-To: apmail-perl-modperl-archive@www.apache.org Received: (qmail 79343 invoked from network); 11 Apr 2005 15:20:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 11 Apr 2005 15:20:19 -0000 Received: (qmail 99070 invoked by uid 500); 11 Apr 2005 15:20:06 -0000 Delivered-To: apmail-perl-modperl-archive@perl.apache.org Received: (qmail 99031 invoked by uid 500); 11 Apr 2005 15:20:05 -0000 Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Delivered-To: mailing list modperl@perl.apache.org Received: (qmail 98979 invoked by uid 99); 11 Apr 2005 15:20:05 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (hermes.apache.org: local policy) Received: from 205-145-130-034 (HELO gfn.org) (205.145.130.34) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 11 Apr 2005 08:20:03 -0700 X-Delivered-To: modperl@perl.apache.org Received: from gfn.org (localhost [127.0.0.1]) by gfn.org (8.12.8/8.12.8) with ESMTP id j3BFJilZ027368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 Apr 2005 11:19:44 -0400 Received: (from swgsh@localhost) by gfn.org (8.12.8/8.12.9/Submit) id j3BFJhY7027343; Mon, 11 Apr 2005 11:19:43 -0400 X-Authentication-Warning: gfn.org: swgsh set sender to sgifford@suspectclass.com using -f To: Carl Brewer Cc: modperl@perl.apache.org Subject: Re: [OT] checking for legal chars in a filename passed in by upload params? References: <425A6D7C.2020909@bl.echidna.id.au> From: Scott Gifford Date: Mon, 11 Apr 2005 11:19:43 -0400 In-Reply-To: <425A6D7C.2020909@bl.echidna.id.au> (Carl Brewer's message of "Mon, 11 Apr 2005 22:28:44 +1000") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.35 X-Scanned-By: milter-date/0.6.73 (gfn.org [205.145.130.34]); Mon, 11 Apr 2005 11:19:44 -0400 X-Spam-Flag: NO X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Carl Brewer writes: [...] > I'm not too worried about the upload filenames, but the defensive > programmer in me somewhere says if I'm going to write this, I should > prevent the uploadee from doing bad things. The uploadee *should* > be a trusted user, but may not be... I don't mind a DoS sort of > thing, but I don't want them being able to scribble outside the > upload directory. First, CGI scripts (mod_perl or not) should always be run in taint mode, which wouldn't let you use the filename directly in a file open, and in general stops you from doing lots of things that could cause a security problem. More specific to your question, I generally do things like: $uploaded_filename =~ /^(\w+)$/) or die "Dangerous filename!\n"; $uploaded_filename = $1; to die on unsafe characters and untaint. It's always safer to specify what's a safe character than what's an unsafe character, since it errs on the side of paranoia. Dying on any non-word character could confuse users who upload files with strange names, though. If you don't care about the filename, just make one up, and avoid the problem altogether. If you do, you could try using URI::Escape before opening the file, and having it escape all non-word characters: uri_escape($uploaded_filename, "\W"); followed by the regexp match above, which should always succeed, but will satisfy the paranoiac inside you while untainting the escaped filename. Hope these hints get you pointed in the right direction, ----ScottG.