[tpm] Irritation problem
Liam R E Quin
liam at holoweb.net
Mon Apr 9 13:24:09 PDT 2012
On Mon, 2012-04-09 at 16:20 -0400, Chris Jones wrote:
> Does this example untaint the incoming $value data being fed into the
> %confighash?
> if( $cfgLine =~ /([\w]+)\t([-\w\/.]+)$/)
> {
> my $key = $1;
> my $value = $2;
> print ("Key: $key, Value: $value\n");
> $confighash{ $key } = $value;
Yes.
It's up to you to check for things like ../../../etc/passwd though
> }
>
> }
> close $fhIn;
>
> In the above example, I may be including some invalid path characters?
> The value can be a number or a valid path | path/filename statement.
Filenames on most operating systems can include letter, digits, hyphen,
but watch that \w probably uses your system's locale (and usually UTF8
if Linux), so é is allowed too... legal and fine if it's what you want.
If you mean / [a-z/.-] /i, then say that instead ;)
Liam
--
Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/
Pictures from old books: http://fromoldbooks.org/
More information about the toronto-pm
mailing list