[fpc-pascal] Function for checking correct file name
Mark Morgan Lloyd
markMLl.fpc-pascal at telemetry.co.uk
Sun Sep 16 10:12:08 CEST 2012
Jorge Aldo G. de F. Junior wrote:
> I believe that you already know that, but thats why i asked if others
> are considering the security risk involved in filenames.
>
> For evidence sake look at this old IIS bug :
>
> http://www.hackingspirits.com/eth-hac/papers/iis_uni.html
>
> Morale : Filenames can be nasty and filename checking functions tend
> to be complex...
The security risk there isn't in the filename per se, but in what it's
passed to. You can safely put most characters in a filename, but the
result of that must be checked before being passed to a unix shell, to
IIS, to ShellExecuteEx() (or whatever the name of the Windows function
is) and so on: that's why Perl has the "tainted" concept that allows
anything injected by a user to be tracked and treated as potentially
hostile.
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
More information about the fpc-pascal
mailing list