Stories
Slash Boxes
Comments

NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

use Perl

All the Perl that's Practical to Extract and Report

Reading Attachments More | Login | Reply

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Without JavaScript enabled, you might want to use the classic discussion system instead. If you login, you can remember this preference.

Path Attacks? (Score:1)

by pjf (2464) on 2004.11.03 8:23 (#35730) Homepage Journal

Davorg knocked up a script that contained:

my $file = DUMP . $mime->filename(1); open FILE, '>', $file or die $!;

What happens when I send you an attachment with a filename of ../../../../../home/davorg/.ssh/authorized_keys, or perhaps more innocently .htaccess?

This is an excellent use for File::Basename, and Aristotle's previous sysopen() involving O_EXCL|O_CREAT.

No prizes for guessing which course [perltraining.com.au] I've been recently reviewing.

Reply to This
- Re:Path Attacks? (Score:2)
  
  by davorg (18)
  
  I don't suppose you'd believe that this was a simplified copy of the program would you :)
  
  It's also been pointed out that an attachment called .htaccess would have interesting results.

Get More Comments

Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.