|
|
Posted by shimmyshack on 05/14/07 19:46
On May 14, 8:03 pm, Good Man <h...@letsgo.com> wrote:
> shimmyshack <matt.fa...@gmail.com> wrote innews:1179168720.073863.12650@y80g2000hsf.googlegroups.com:
>
>
>
> >> >> function cleanFile ($filename) { //clean up the file name
>
> >> > the trouble with this kind of blacklist banning is that it allows
> >> > encoding and otherforms of clever attack.
> >> > better to use a whitelist.
>
> >> How would you use a 'whitelist' in this case? By only allowing
> >> filenames with alphanumeric characters? If that were the case, that
> >> would require forcing your user to rename their files before
> >> upload... time-intensive and annoying...
>
> > no just use the kind of oneliner specified earlier in this post using
> > eregi_replace, or preg_replace, no requirement on the user, and you
> > can allow any utf8 character you think is reasonable without allowing
> > attacks and without banning characters like comma (,) apostraphe (')
> > and space ( ) which are all legitimate chars for a filesystem and
> > should really be allowed if the OS supports them.
>
> ** eregi from earlier post **
> $strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
> ['name']);
> **
>
> just to make sure I follow... your eregi function keeps any of your
> 'allowed' characters in your expression, and replaces everything else
> with just a "" (blank), is that correct?
>
> > Perhaps you can explain this line:
> > $filename = str_replace("","",$filename);
>
> bad code!
>
> > and then check out sql, command, xss and other injection attacks and
> > why blacklisting doesnt work
>
> i actually only use 'blacklisting' for my file uploads. perhaps i will
> revisit that issue.
>
> thanks.
yes that eregi just allows the char range, but you can specify others
including accented chars and so on, it does as you say and replaces
any others, so
Go0od man->Goodman
(as spaces arent allowed in the above ereg)
preg_replace is generally preferred by works in a similar way.
You can also make things more user friendly, say a user has to enter a
britsih postcode (which has many rules for its formation) and the user
types
P014 instead of PO14 (zero instead of capital letter O) or doesnt use
a space.
P0145QL
you can write a simple reg exp that filters chars and checks for
comformity to rules, and makes likely replacements (like 0 and O)
where there is no abiguity interpreting the users input, and throw out
the result to the lookup.
I love 'em!
Navigation:
[Reply to this message]
|