Vorm — Sun, 14 Jan 2001 21:06:06 +0000

What can someone do with the script tag when it comes to opening a file?

Matt@Ikonboard — Wed, 10 Jan 2001 02:48:47 +0000

Quote: Originally posted by spragueg
It's always the same file but the user is requesting data via forms or action tags. I have a parsing lib that gets my pairs out. Should I use the regexp there? For example I have a variable like "words=01234" passed via the url or form. If I read that regexp right it's looking for any "/" and replacing it with nothing? So should I do $words= s/\///g; before I open my file? Do I understand?

It depends on the method used to parse. I urge the use of the CGI perl module. It's a little heavy on compile times, but worth it for it's clean and easy to use interface.

Always do some kind of data checking on parsed value=pairs tags.

I'd use something like:

sub CleanValue {
    my ($obj, $Tmp) = @_;
    $Tmp =~ s!\0!!g;
    my %ENT=('&'=>'amp','<'=>'lt','>'=>'gt','"'=>'quot');
    $Tmp =~ s!([&<>"])!&$ENT{$1};!sg;
    $Tmp =~ s|<!--|&#60;&#33;&#45;&#45;|g;
    $Tmp =~ s|-->|&#45;&#45;&#62;|g;
    $Tmp =~ s|&lt;script&gt;|&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;|ig;
    $Tmp =~ s|^\$+$|&#36|g;
    $Tmp =~ s!\|!&#124;!g;
    $Tmp =~ s|\{|&#123;|g;
    $Tmp =~ s|\}|&#125;|g; 
    $Tmp =~ s|\,|&#44;|g;
    $Tmp =~ s|\*|&#42;|g;
    $Tmp =~ s|'|&#39;|g;
    $Tmp =~ s|\s+$||g;
    $Tmp =~ s|\$|&#36|g;
    $Tmp =~ s|\r||g;
    return $Tmp;
}

Matt@Ikonboard — Wed, 10 Jan 2001 02:44:30 +0000

Focusing on opening files from user input, I'd go full on taint.

Something like:

my $File = $q->param('file'); #or however the data is parsed..

$File = CleanFilename($File);
open FH, $File or die $!;
.....

#Some where in a script/lib/module - whatever

sub CleanFilename {
die "Illegal Characters" unless $_[0] =~ m!^([\w.-]+)$!;
return $1; # $1 is now untainted
}

Rob Pengelly — Tue, 09 Jan 2001 02:29:42 +0000

I should have been more clear sorry. the regexp is only neccesary when you are opening a file inputed by the user.

spragueg — Tue, 09 Jan 2001 01:15:07 +0000

It's always the same file but the user is requesting data via forms or action tags. I have a parsing lib that gets my pairs out. Should I use the regexp there? For example I have a variable like "words=01234" passed via the url or form. If I read that regexp right it's looking for any "/" and replacing it with nothing? So should I do $words= s/\///g; before I open my file? Do I understand?

Rob Pengelly — Mon, 08 Jan 2001 20:49:26 +0000

It really depends on the situation. Is thie file that you are opening already defined in your script?
ie-
$file = 'data.txt';
open(IN,$file) or die "Can't open $file: $!\n";
If this is the case, you are fine, because you will only open the specified file.

Or, are you getting userinput first, and opening a file a specific file depending on the users input? If this is the case, it is always good to write a small regexp (Regular Expression) to make sure there are no '/' in the inputed variable. I usually use:
$foo = s/\///g;