Check valid filename before copy

Discussion in 'Perl Misc' started by Gary Mayor, Feb 25, 2004.

  1. Gary Mayor

    Gary Mayor Guest

    Hi,
    I'm getting a filename from a user then copying a file to a new file
    with the new filename specified by the user. So the script is like this

    $file = param("file");

    system("cp $from $file");

    I need to check the $file string for any invalid characters such as ../
    @ |. I can do a regex expression to check them but I was hopeing someone
    had already done the expressions what would be all the characters I
    would need to check for security reasons?

    Sample Regex

    $file=~/\.|\..|\/|\@/)

    Is there a better way

    Ideas Please?

    Thanks

    Gary
     
    Gary Mayor, Feb 25, 2004
    #1
    1. Advertising

  2. Gary Mayor

    Ben Morrow Guest

    Gary Mayor <> wrote:
    > I'm getting a filename from a user then copying a file to a new file
    > with the new filename specified by the user. So the script is like this
    >
    > $file = param("file");
    >
    > system("cp $from $file");


    Don't use system, use File::Copy.

    > I need to check the $file string for any invalid characters such as ../
    > @ |. I can do a regex expression to check them but I was hopeing someone
    > had already done the expressions what would be all the characters I
    > would need to check for security reasons?
    >
    > Sample Regex
    >
    > $file=~/\.|\..|\/|\@/)
    >
    > Is there a better way
    >
    > Ideas Please?


    Don't look for invalid characters, look for valid ones.

    die unless $file =~ /^[\w.-+]+$/;

    Ben

    --
    We do not stop playing because we grow old;
    we grow old because we stop playing.
     
    Ben Morrow, Feb 25, 2004
    #2
    1. Advertising

  3. Gary Mayor

    Gary Mayor Guest

    Ben Morrow wrote:
    > Gary Mayor <> wrote:
    >
    >>I'm getting a filename from a user then copying a file to a new file
    >>with the new filename specified by the user. So the script is like this
    >>
    >>$file = param("file");
    >>
    >>system("cp $from $file");

    >
    >
    > Don't use system, use File::Copy.
    >
    >
    >>I need to check the $file string for any invalid characters such as ../
    >>@ |. I can do a regex expression to check them but I was hopeing someone
    >>had already done the expressions what would be all the characters I
    >>would need to check for security reasons?
    >>
    >>Sample Regex
    >>
    >>$file=~/\.|\..|\/|\@/)
    >>
    >>Is there a better way
    >>
    >>Ideas Please?

    >
    >
    > Don't look for invalid characters, look for valid ones.
    >
    > die unless $file =~ /^[\w.-+]+$/;
    >
    > Ben
    >


    Hi,
    Thanks for that but i've tried that regex as

    if ($name1 =~ /^[\w.-+]+$/) {
    move("$location2$file","$location2$name1");
    }

    but I get this error

    Invalid [] range ".-+" in regex; marked by <-- HERE in m/^[\w.-+ <--
    HERE ]+$/

    Whats up with the .-+

    Any ideas?

    Thanks

    Gary
     
    Gary Mayor, Feb 25, 2004
    #3
  4. Gary Mayor

    Ben Morrow Guest

    Gary Mayor <> wrote:
    > Ben Morrow wrote:
    > > Don't look for invalid characters, look for valid ones.
    > >
    > > die unless $file =~ /^[\w.-+]+$/;
    > >
    > > Ben
    > >

    >
    > Thanks for that but i've tried that regex as
    >
    > if ($name1 =~ /^[\w.-+]+$/) {
    > move("$location2$file","$location2$name1");
    > }
    >
    > but I get this error
    >
    > Invalid [] range ".-+" in regex; marked by <-- HERE in m/^[\w.-+ <--
    > HERE ]+$/
    >
    > Whats up with the .-+


    I'm a fool is what :).

    Try it as /^[\w.+-]+$/.

    Sorry.

    Ben

    --
    Heracles: Vulture! Here's a titbit for you / A few dried molecules of the gall
    From the liver of a friend of yours. / Excuse the arrow but I have no spoon.
    (Ted Hughes, [ Heracles shoots Vulture with arrow. Vulture bursts into ]
    /Alcestis/) [ flame, and falls out of sight. ]
     
    Ben Morrow, Feb 25, 2004
    #4
  5. Gary Mayor

    Gary Mayor Guest

    Greg Patnude wrote:
    > Just imagine the havoc I could wreak on your system if I decided to send you
    > a $file like this thorough your HTML form...
    >
    > ;cd /; rm -f *;
    >


    My point exactly just done a test with the regex /^[\w.+-]+$/ and it
    picked it out as invalid so must be working.

    Cheers
     
    Gary Mayor, Feb 25, 2004
    #5
  6. Gary Mayor

    Anno Siegel Guest

    Gary Mayor <> wrote in comp.lang.perl.misc:
    > Greg Patnude wrote:
    > > Just imagine the havoc I could wreak on your system if I decided to send you
    > > a $file like this thorough your HTML form...
    > >
    > > ;cd /; rm -f *;
    > >

    >
    > My point exactly just done a test with the regex /^[\w.+-]+$/ and it
    > picked it out as invalid so must be working.


    Oh dear... Security at its finest.

    Anno
     
    Anno Siegel, Feb 26, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Sm9l?=

    Extract filename from a filename typed by user

    =?Utf-8?B?Sm9l?=, Aug 23, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    1,068
    Travis Murray
    Aug 24, 2004
  2. Replies:
    1
    Views:
    1,606
    Roland de Ruiter
    Jun 15, 2006
  3. Ed
    Replies:
    10
    Views:
    46,734
    alok000707
    Jul 13, 2010
  4. Beauregard T. Shagnasty

    Re: filename.gif or filename.gif.jpg?

    Beauregard T. Shagnasty, May 30, 2008, in forum: HTML
    Replies:
    1
    Views:
    815
    Jonathan N. Little
    May 30, 2008
  5. Bergamot
    Replies:
    0
    Views:
    485
    Bergamot
    May 30, 2008
Loading...

Share This Page