Untaint file name

[John S]

Hi,
In an earlier post the following was suggested by Gunnar:

if ( $PATH =~ /^([-\/\w])$/ ) {...

Would adding an underscore introduce any risks? Also, the % character (if
there was a space e.g. '%20')?
Thanks in advance.

wfsp

 

[gnari]

Hi,
In an earlier post the following was suggested by Gunnar:

if ( $PATH =~ /^([-\/\w])$/ ) {...

Would adding an underscore introduce any risks? Also, the % character (if
there was a space e.g. '%20')?

it all depends on what you are going to do with it.
in the context of a filepath, underscores are harmless,
but I do not see how the %20 comes into it. are you
going to use the path in a querysting ?

if the context is a file name, spaces can be ok if you take
care not to use it unquoted in system calls, where a space
might change the meaning. for example if you have a file
name $file="foo bar" , then this might not be what you wanted:
system("rm temp/$file"); # rm temp/foo bar (deletes ./bar)
but this might be:
system("rm 'temp/$file'");

the idea behind the untaint, is that you are declaring
that you are dealing a certain type of input.

gnari

 

[Gunnar Hjalmarsson]

In an earlier post the following was suggested by Gunnar:

if ( $PATH =~ /^([-\/\w])$/ ) {...

Hopefully it wasn't, since it would require that $PATH contains only
one character...

Would adding an underscore introduce any risks?

Doing so would not make a difference at all, since the underscore is
included in the \w character class.

Also, the % character (if there was a space e.g. '%20')?

Paths do not get URI encoded, so adding % for that reason appears to
be pointless.

I suppose you are on Windows, since you worry about possible spaces,
and that we are talking about the full path to a file. In that case
there are a couple of other things to consider. Something like this
should - typically - work on both *nix and Windows:

if ( $PATH =~ /^([-\w\/\\.: ]+)$/ ) {...

 

[John S]

Many thanks for prompt replies. You have answered my concerns.

My 'email this article to a friend' cgi script receives the email address
and path from a form. It opens the file, tokeparsers it and emails it.

One more question:
The script is in a directory 2 levels down from the root. To open the file
I am adding '../../' to the front of the string. Is this a concern?

Thanks again
wfsp

(I always have a massive attack of FUD in general and with taint in
particular!)

 

[gnari]

Many thanks for prompt replies. You have answered my concerns.

My 'email this article to a friend' cgi script receives the email address
and path from a form. It opens the file, tokeparsers it and emails it.

One more question:
The script is in a directory 2 levels down from the root. To open the file
I am adding '../../' to the front of the string. Is this a concern?

you mean, if the user sends filename 'etc/passwd', you will send
'/etc/passwd' to him by email ? or did you mean document root?

it is better to use an absolute path to your articles, and make sure the
input
filename does not contain ../ , so if the filename is foo/bar, you add
'/my/arcticles/' to get '/my articles/foo/bar'.
this would give access to all files under /my/articles/
if you only want to give access to a subset of the files, you either
need to find a pattern that matches only those files, or look up
the filename in a hash or something.

gnari

 

[John S]

you mean, if the user sends filename 'etc/passwd', you will send
'/etc/passwd' to him by email ? or did you mean document root?

it is better to use an absolute path to your articles, and make sure
the input
filename does not contain ../ , so if the filename is foo/bar, you add
'/my/arcticles/' to get '/my articles/foo/bar'.
this would give access to all files under /my/articles/
if you only want to give access to a subset of the files, you either
need to find a pattern that matches only those files, or look up
the filename in a hash or something.

gnari

Sorry, yes, I meant document root. You're right, the absolute path would
be better and I can find a pattern for the subset.

Many thanks,
wfsp

 

[Joe Smith]

Something like this should -
typically - work on both *nix and Windows:

if ( $PATH =~ /^([-\w\/\\.: ]+)$/ ) {...

That makes sure the filename does not contain shell metacharacters,
but does not guard against malicious input. A separate check should
be made to watch out for things like "../../../etc/passwd".

-Joe