|
|
Posted by Good Man on 05/14/07 19:03
shimmyshack <matt.farey@gmail.com> wrote in
news:1179168720.073863.12650@y80g2000hsf.googlegroups.com:
>> >> function cleanFile ($filename) { //clean up the file name
>>
>> > the trouble with this kind of blacklist banning is that it allows
>> > encoding and otherforms of clever attack.
>> > better to use a whitelist.
>>
>> How would you use a 'whitelist' in this case? By only allowing
>> filenames with alphanumeric characters? If that were the case, that
>> would require forcing your user to rename their files before
>> upload... time-intensive and annoying...
>
> no just use the kind of oneliner specified earlier in this post using
> eregi_replace, or preg_replace, no requirement on the user, and you
> can allow any utf8 character you think is reasonable without allowing
> attacks and without banning characters like comma (,) apostraphe (')
> and space ( ) which are all legitimate chars for a filesystem and
> should really be allowed if the OS supports them.
** eregi from earlier post **
$strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
['name']);
**
just to make sure I follow... your eregi function keeps any of your
'allowed' characters in your expression, and replaces everything else
with just a "" (blank), is that correct?
> Perhaps you can explain this line:
> $filename = str_replace("","",$filename);
bad code!
> and then check out sql, command, xss and other injection attacks and
> why blacklisting doesnt work
i actually only use 'blacklisting' for my file uploads. perhaps i will
revisit that issue.
thanks.
Navigation:
[Reply to this message]
|