Check valid filename before copy

[Gary Mayor]

Hi,
I'm getting a filename from a user then copying a file to a new file
with the new filename specified by the user. So the script is like this

$file = param("file");

system("cp $from $file");

I need to check the $file string for any invalid characters such as ../
@ |. I can do a regex expression to check them but I was hopeing someone
had already done the expressions what would be all the characters I
would need to check for security reasons?

Sample Regex

$file=~/\.|\..|\/|\@/)

Is there a better way

Ideas Please?

Thanks

Gary

 

[Ben Morrow]

I'm getting a filename from a user then copying a file to a new file
with the new filename specified by the user. So the script is like this

$file = param("file");

system("cp $from $file");

Don't use system, use File::Copy.

I need to check the $file string for any invalid characters such as ../
@ |. I can do a regex expression to check them but I was hopeing someone
had already done the expressions what would be all the characters I
would need to check for security reasons?

Sample Regex

$file=~/\.|\..|\/|\@/)

Is there a better way

Ideas Please?

Don't look for invalid characters, look for valid ones.

die unless $file =~ /^[\w.-+]+$/;

Ben

 

[Gary Mayor]

I'm getting a filename from a user then copying a file to a new file
with the new filename specified by the user. So the script is like this

$file = param("file");

system("cp $from $file");

Don't use system, use File::Copy.

I need to check the $file string for any invalid characters such as ../
@ |. I can do a regex expression to check them but I was hopeing someone
had already done the expressions what would be all the characters I
would need to check for security reasons?

Sample Regex

$file=~/\.|\..|\/|\@/)

Is there a better way

Ideas Please?

Don't look for invalid characters, look for valid ones.

die unless $file =~ /^[\w.-+]+$/;

Ben

Hi,
Thanks for that but i've tried that regex as

if ($name1 =~ /^[\w.-+]+$/) {
move("$location2$file","$location2$name1");
}

but I get this error

Invalid [] range ".-+" in regex; marked by <-- HERE in m/^[\w.-+ <--
HERE ]+$/

Whats up with the .-+

Any ideas?

Thanks

Gary

 

[Ben Morrow]

Don't look for invalid characters, look for valid ones.

die unless $file =~ /^[\w.-+]+$/;

Ben

Thanks for that but i've tried that regex as

if ($name1 =~ /^[\w.-+]+$/) {
move("$location2$file","$location2$name1");
}

but I get this error

Invalid [] range ".-+" in regex; marked by <-- HERE in m/^[\w.-+ <--
HERE ]+$/

Whats up with the .-+

I'm a fool is what .

Try it as /^[\w.+-]+$/.

Sorry.

Ben

 

[Gary Mayor]

Just imagine the havoc I could wreak on your system if I decided to send you
a $file like this thorough your HTML form...

;cd /; rm -f *;

My point exactly just done a test with the regex /^[\w.+-]+$/ and it
picked it out as invalid so must be working.

Cheers

 

[Anno Siegel]

Just imagine the havoc I could wreak on your system if I decided to send you
a $file like this thorough your HTML form...

;cd /; rm -f *;

My point exactly just done a test with the regex /^[\w.+-]+$/ and it
picked it out as invalid so must be working.

Oh dear... Security at its finest.

Anno