Re: untaint filename by replacing with underscores?

From: Wc -Sx- Jones (WC-Sx-Jones_at_insecurity.org)
Date: 04/22/04

Next message: Wc -Sx- Jones: "Re: Password Changer and rexec help"
Previous message: peery_at_comcast.net: "Perl vs PHP"
In reply to: Damon McMahon: "untaint filename by replacing with underscores?"
Next in thread: Jupiterhost.Net: "Re: untaint filename by replacing with underscores?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 22 Apr 2004 09:09:52 -0400
To: beginners@perl.org

Damon McMahon wrote:
> $attach_name =~ s/[^\w\s\-\.]/_/;
> $safe_attach_name = $1;
>
> However, this isn't populating $safe_attach_name with anything. What am
> I doing wrong?

This is an age old mistake - trying to ban unsafe characters.

Try to think in reverse:

$attach_name = s/[^a-z0-9]/\_/gi;

This changes anything NOT A-Z or 0-9 into _

For example, changing your sed statement -

$_ = '/[^\w\s\-\.]/_/';

s/[^a-z0-9]/\_/gi;

print "$_\n";

__END__

Outputs -

____w_s________

I make NO warranties about filename safeness with
regard to existing files...

There are CPAN modules you should research - in the meantime;
play with this -

#! /usr/local/bin/perl -w

use strict;
use warnings;

# Variables to set -
my $path = '/usr/local/apache2/htdocs/blackhole/';
my $ext = '.txt'; # WARNING: Do Not Use HTML!
# End of user configurable items...

my ( $sec,
         $min,
         $hour,
         $mday,
         $mon,
         $year,
         $wday) = localtime;

my $lt = sprintf("%02d%02d%02d%02d%02d%4d%d",
$sec, $min, $hour, $mday,
++$mon, ($year + 1900), $wday);

$lt .= $ext;
$path .= $lt;
my $slt = scalar localtime;

     use 5.004;
     use Fcntl qw(:DEFAULT :flock);
     sysopen(BLACKHOLE, "$path", O_WRONLY | O_CREAT)
         or die "can't create $path: $!";
     flock(BLACKHOLE, LOCK_EX)
         or die "can't lock $path: $!";
     truncate(BLACKHOLE, 0)
         or die "can't truncate $path: $!";

print BLACKHOLE <<_EndOfHeaders_;
$path

... whatever file contents ...

_EndOfHeaders_

exit;

__END__

-- 
_Sx_ http://youve-reached-the.endoftheinternet.org/ _____
      http://jaxpm.insecurity.org/
      http://cis4dl.insecurity.org/

Next message: Wc -Sx- Jones: "Re: Password Changer and rexec help"
Previous message: peery_at_comcast.net: "Perl vs PHP"
In reply to: Damon McMahon: "untaint filename by replacing with underscores?"
Next in thread: Jupiterhost.Net: "Re: untaint filename by replacing with underscores?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Ted Tonks was a Bad Boy
... >> JKR has made a mistake. ... She does not need to know the age of every minor character, ... there is no evidence that a mistake, ... contradiction within the books themselves. ...
(alt.fan.harry-potter)
Re: Runaway Prius in California
... cop told him to put it in neutral but he was "afraid i ... would put it in reverse by mistake". ... Did he really say those exact words, "afraid I would put it in reverse by ...
(rec.gambling.poker)
Re: Anyone willing to lie about their children, can never be trusted!
... >>> mistake, sorry. ... That is different than age. ... Did I insist you were wrong about FC3, ... I bet your kids like you better when you were doped up on percacets too! ...
(microsoft.public.windowsxp.general)
Re: Ted Tonks was a Bad Boy
... >>> JKR has made a mistake. ... >> JKR has demonstrated that she doesn't really know the exact age ... Remember Marcus Flint, who apparently went to Hogwarts for 8 years? ...
(alt.fan.harry-potter)
Re: Y&R- So, Was That It For Noah?
... viewers of the mistake by continuing to build even more ill-founded ... these look-alikes and ghosts ... ... and THEN reverse it. ...
(rec.arts.tv.soaps.cbs)