[fpc-pascal] Function for checking correct file name

Mark Morgan Lloyd markMLl.fpc-pascal at telemetry.co.uk
Sun Sep 16 10:12:08 CEST 2012


Jorge Aldo G. de F. Junior wrote:

> I believe that you already know that, but thats why i asked if others
> are considering the security risk involved in filenames.
> 
> For evidence sake look at this old IIS bug :
> 
> http://www.hackingspirits.com/eth-hac/papers/iis_uni.html
> 
> Morale : Filenames can be nasty and filename checking functions tend
> to be complex...

The security risk there isn't in the filename per se, but in what it's 
passed to. You can safely put most characters in a filename, but the 
result of that must be checked before being passed to a unix shell, to 
IIS, to ShellExecuteEx() (or whatever the name of the Windows function 
is) and so on: that's why Perl has the "tainted" concept that allows 
anything injected by a user to be tracked and treated as potentially 
hostile.

-- 
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]



More information about the fpc-pascal mailing list