develooper Front page | perl.beginners | Postings from March 2002

Understanding untaint

Thread Next
From:
Tom Ransom
Date:
March 29, 2002 14:23
Subject:
Understanding untaint
Message ID:
p0510151bb8ca953dafb5@[192.168.254.14]
I need help debugging/understanding how this piece of code is 
working. I have checked values going into and within "cl" and it 
operates as expected. Where does the "%+" come from?

===================================================
$DataDir="/www/htdocs/";
$template_directory="templates/";
$template_name="main.htm";

results in "%+/www/htdocs/templates/main.htm"


     &cl("$DataDir$template_directory$template_name") =~ /(.+)/;
     my $temp_file = $1;           #keeps nasties from manipulating 
browser window

======================================

sub cl {                                  #untaints for safe open/system calls
     $ENV{'PATH'} = '';
     my $path = shift(@_);
     $path =~ s/[\^\~\\;<>\*\|`&\$!#\(\)\[\]\{\}'"\s]//g;     #remove metas
     $path =~ s/\.+/./g;           #remove ../ exploit
     return $path;
}

-- 

Tom Ransom                       mailto:transom@1bigidea.com
------------------------------------------------------------------------
After all, it just takes one BIG idea to make your marketing
program stand out in the crowd.  <http://1bigidea.com>

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About