|
|
Posted by shimmyshack on 05/14/07 18:52
On May 14, 7:41 pm, Good Man <h...@letsgo.com> wrote:
> shimmyshack <matt.fa...@gmail.com> wrote innews:1179166417.178718.236160@y80g2000hsf.googlegroups.com:
>
> >> > Though it would likely be much easier if you were to strip out all
> >> > characters except alpha, numeric, and the underscore prior to
> >> > storage (file and database entry). Perhaps replace spaces with
> >> > underscores.
>
> >> I agree. Here's what I use to "clean" the filenames of all uploaded
> >> files:
>
> >> function cleanFile ($filename) { //clean up the file name
> > the trouble with this kind of blacklist banning is that it allows
> > encoding and otherforms of clever attack.
> > better to use a whitelist.
>
> How would you use a 'whitelist' in this case? By only allowing filenames
> with alphanumeric characters? If that were the case, that would require
> forcing your user to rename their files before upload... time-intensive and
> annoying...
no just use the kind of oneliner specified earlier in this post using
eregi_replace, or preg_replace, no requirement on the user, and you
can allow any utf8 character you think is reasonable without allowing
attacks and without banning characters like comma (,) apostraphe (')
and space ( ) which are all legitimate chars for a filesystem and
should really be allowed if the OS supports them.
Perhaps you can explain this line:
$filename = str_replace("","",$filename);
and then check out sql, command, xss and other injection attacks and
why blacklisting doesnt work, here for example is OWASPs good practise
advice (for sql injection prevention):
"Use vigorous white-list style checking on any user input"
the same goes for any user input.
Navigation:
[Reply to this message]
|