URL help

[samisammour]

I'm writing a program that takes from the user a url and executes some shell commands on it so I have to to make sure the url doesnt contain any character that shell understands like : &, *, |, ....
I tried to do it with some regexp but I couldnt.
Help me please.
Thanks in advance.

 

[travs69]

Example: Replace & with nothing
$var =~ s/\&//g;

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis - Those Who Say It Cannot Be Done Are Usually Interrupted by Someone Else Doing It; Give the wrong symptoms, get the wrong solutions;

 

[samisammour]

I want to know if it has one or more characters that shell understands, so i need to put all characters in one line

 

[Kirsle]

Instead of trying to remove the characters that the shell understands, instead try to limit the characters allowed in the URL.

i.e. most URLs are going to only have a few characters in them:

[A-Z]
[a-z]
[0-9]
:
/
.
?
#
&

So, instead of trying to "deny some" characters, and allow the rest, you should instead "allow some" characters and deny the rest. Even when you think your code is secure, some clever script kiddie will get around it and put in some kind of escape sequence or hex code that will pass by all your filters and, when it gets to the shell, be converted by the shell back into the real character, and that wouldn't be good.

So:

if ($url =~ /[^A-Za-z0-9:\/\.\?\#]/) {
   warn "This url contains an invalid character!\n";
}

URLs can contain &'s, which could mess with the shell. What I'd suggest for that is to convert the & into a ; first (unless that doesn't fix your problem).

i.e. most CGI applications that weren't written 30 years ago should know that & and ; both separate query string values. Or, you could just not allow query strings at all by not even allowing the ? symbol to be in the URL.

-------------
Cuvou.com | My personal homepage
Project Fearless | My web blog

 

[ishnid]

How are you passing it to the shell?