Re: cvs commit: modperl/File File.pm

[Stas Bekman <st...@stason.org>]

>   +        ($tmpfile) = $tmpfile =~ /^([^<>|;*]+)$/; #untaint

Doug, will this do the right thing on all platform? I'm simply looking for
a similar solution to a bug in Cwd.pm to generically untaint a path.
Shouldn't '?\[\]' be in the forbidden set? These are all parts of the 
wild chars set (at least in the shells that I know).

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org

Re: cvs commit: modperl/File File.pm

[Doug MacEachern <do...@covalent.net>]

On Tue, 16 Apr 2002, Stas Bekman wrote:

> >   +        ($tmpfile) = $tmpfile =~ /^([^<>|;*]+)$/; #untaint
> 
> Doug, will this do the right thing on all platform? I'm simply looking for
> a similar solution to a bug in Cwd.pm to generically untaint a path.
> Shouldn't '?\[\]' be in the forbidden set? These are all parts of the 
> wild chars set (at least in the shells that I know).

wild chars sets won't do much good if a shell can't be spawned, which is 
what ; and | prevent.  the '*' probably doesn't need to be there.  i 
dunno, this has been the same for years.  if there's a better "standard" 
untaint expression, feel free to update it.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org