regex for .. detection

Discussion:

gr0tus

2002-02-12 18:54:02 UTC

Nope, I'm in a class in New Jersey right now. I can access Yahoo
Groups and look at the web version of CVS, but that is about it.

Ok, so is that your final answer? :-)
Can you make the change, test it and send in a diff?
-dean

That would match, let me rewrite the regex with comments for
m{ #match (using a different bracketing to avoid leaning toothpicks
((^ #the beginning of the string
([a-zA-Z]:)?) #plus 0 or 1 instances of a volume
| # OR
([/\\])) #one or the other of / or \ not necessarily
#at the begining of the string
\.\. #then the two dots
([/\\] #then one of / or \
| # OR
$) #the end of the string
}x #end the regex (the x allows

whitespace/comments)

ok, it's slightly different then what I had before, but it is

mostly

the same. It matches .. either between two directory separators or
at the start or end of the path string.

somevaliddir/../../../../etc/passwd
?

m{(^([a-zA-Z]:)?|[/\\])\.\.[/\\]?}
The first bit is to prevent windows users from doing

c:../whatever

or unix folk from starting with a ..
It may not exactly work, but I can't test it to make it work.
Robert (gr0tus)
Your use of Yahoo! Groups is subject to

http://docs.yahoo.com/info/terms/
Your use of Yahoo! Groups is subject to

http://docs.yahoo.com/info/terms/

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Do you need to encrypt all your online transactions? Find
the perfect solution in this FREE Guide from VeriSign.
http://us.click.yahoo.com/jWSNbC/UdiDAA/yigFAA/rIp0lB/TM
---------------------------------------------------------------------~->

To unsubscribe from this group, send an email to:
slimp3-dev-unsubscribe-***@public.gmane.org

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

dean blackketter

2002-02-12 17:41:19 UTC

Permalink

Ok, so is that your final answer? :-)

Can you make the change, test it and send in a diff?

-dean

m{ #match (using a different bracketing to avoid leaning toothpicks
((^ #the beginning of the string
([a-zA-Z]:)?) #plus 0 or 1 instances of a volume
| # OR
([/\\])) #one or the other of / or \ not necessarily
#at the begining of the string
\.\. #then the two dots
([/\\] #then one of / or \
| # OR
$) #the end of the string
}x #end the regex (the x allows whitespace/comments)
ok, it's slightly different then what I had before, but it is mostly
the same. It matches .. either between two directory separators or
at the start or end of the path string.

somevaliddir/../../../../etc/passwd
?

m{(^([a-zA-Z]:)?|[/\\])\.\.[/\\]?}
The first bit is to prevent windows users from doing c:../whatever
or unix folk from starting with a ..
It may not exactly work, but I can't test it to make it work.
Robert (gr0tus)
Your use of Yahoo! Groups is subject to

http://docs.yahoo.com/info/terms/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

To unsubscribe from this group, send an email to:
slimp3-dev-unsubscribe-***@public.gmane.org

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

gr0tus

2002-02-12 16:49:47 UTC

Permalink

That would match, let me rewrite the regex with comments for clarity:

m{ #match (using a different bracketing to avoid leaning toothpicks
((^ #the beginning of the string
([a-zA-Z]:)?) #plus 0 or 1 instances of a volume
| # OR
([/\\])) #one or the other of / or \ not necessarily
#at the begining of the string
\.\. #then the two dots
([/\\] #then one of / or \
| # OR
$) #the end of the string
}x #end the regex (the x allows whitespace/comments)

ok, it's slightly different then what I had before, but it is mostly
the same. It matches .. either between two directory separators or
at the start or end of the path string.

somevaliddir/../../../../etc/passwd
?

http://docs.yahoo.com/info/terms/

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
When building an e-commerce site, you want to start with a
secure foundation. Learn how with VeriSign's FREE Guide.
http://us.click.yahoo.com/kWSNbC/XdiDAA/yigFAA/rIp0lB/TM
---------------------------------------------------------------------~->

To unsubscribe from this group, send an email to:
slimp3-dev-unsubscribe-***@public.gmane.org

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

dean blackketter

2003-02-22 12:59:19 UTC

Permalink

<!doctype html public "-//W3C//DTD W3 HTML//EN">
<head><style type="text/css"></style><title>[slimp3-dev] Re: regex for ..
detection</title></head><body>
<div>Ok, so is that your final answer?   :-)</div>
<div><br></div>
<div>Can you make the change, test it and send in a diff?</div>
<div><br></div>
<div>-dean</div>
<div><br></div>
<div><br></div>
<blockquote type="cite" cite>That would match, let me rewrite the
regex with comments for clarity:<br>
<br>
m{ #match (using a different bracketing to avoid leaning
toothpicks<br>
  
((^           <span

</span>   #the beginning of the string <br>

    ([a-zA-Z]:)?)   #plus 0 or 1 instances of
a volume<br>
   
|           <span

</span>    # OR<br>

    ([/\\]))       
#one or the other of / or \ not necessarily<br>
           <span

</span>         #at the

begining of the string<br>
   
\.\.           
#then the two dots<br>
   
([/\\]          #then one
of / or \<br>
   
|           <span

</span>    # OR<br>

   
$)           <span

</span>   #the end of the string<br>

   
}x           <span

</span>   #end the regex (the x allows

whitespace/comments)<br>
<br>
ok, it's slightly different then what I had before, but it is mostly
<br>
the same.  It matches .. either between two directory separators
or <br>
at the start or end of the path string.<br>
<br>
<br>
<br>
--- In slimp3-dev-F5Bj5G+***@public.gmane.org, dean blackketter <***@b...> wrote:<br>
> What about this:<br>
> <br>
> somevaliddir/../../../../etc/passwd<br>
> <br>
> ?<br>
> <br>
> >This might be what you are looking for:<br>
> ><br>
> >m{(^([a-zA-Z]:)?|[/\\])\.\.[/\\]?}<br>
> ><br>
> >The first bit is to prevent windows users from doing
c:../whatever<br>
> >or unix folk from starting with a ..<br>
> ><br>
> >It may not exactly work, but I can't test it to make it
work.<br>
> ><br>
> >Robert (gr0tus)<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> >To unsubscribe from this group, send an email to:<br>
> >slimp3-dev-unsubscribe-F5Bj5G+***@public.gmane.org<br>
> ><br>
> ><br>
> ><br>
> >Your use of Yahoo! Groups is subject to <br>
http://docs.yahoo.com/info/terms/<br>
<br>
<br>
------------------------ Yahoo! Groups Sponsor
---------------------~--><br>
Sponsored by VeriSign - The Value of Trust<br>
When building an e-commerce site, you want to start with a<br>
secure foundation. Learn how with VeriSign's FREE Guide.<br>
http://us.click.yahoo.com/kWSNbC/XdiDAA/yigFAA/rIp0lB/TM<br>
---------------------------------------------------------------------<span </span>~-><br>
<br>
To unsubscribe from this group, send an email to:<br>
slimp3-dev-unsubscribe-***@public.gmane.org<br>
<br>
 <br>
<br>
Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/ </blockquote>
<div><br></div>
</body>
</html>

dean blackketter

2002-02-12 15:06:07 UTC

Permalink

What about this:

somevaliddir/../../../../etc/passwd

?

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Secure all your Web servers now - with a proven 5-part
strategy. The FREE Server Security Guide shows you how.
http://us.click.yahoo.com/uCuuSA/VdiDAA/yigFAA/rIp0lB/TM
---------------------------------------------------------------------~->

To unsubscribe from this group, send an email to:
slimp3-dev-unsubscribe-***@public.gmane.org

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

gr0tus

2002-02-12 14:12:37 UTC

Permalink

This might be what you are looking for:

m{(^([a-zA-Z]:)?|[/\\])\.\.[/\\]?}

The first bit is to prevent windows users from doing c:../whatever
or unix folk from starting with a ..

It may not exactly work, but I can't test it to make it work.

Robert (gr0tus)

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
When building an e-commerce site, you want to start with a
secure foundation. Learn how with VeriSign's FREE Guide.
http://us.click.yahoo.com/kWSNbC/XdiDAA/yigFAA/rIp0lB/TM
---------------------------------------------------------------------~->

To unsubscribe from this group, send an email to:
slimp3-dev-unsubscribe-***@public.gmane.org

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

dean blackketter

2003-02-22 12:59:27 UTC

Permalink

<!doctype html public "-//W3C//DTD W3 HTML//EN">
<head><style type="text/css"></style><title>Re: [slimp3-dev] regex for ..
detection</title></head><body>
<div>What about this:</div>
<div><br></div>
<div>somevaliddir/../../../../etc/passwd</div>
<div><br></div>
<div>?</div>
<div><br></div>
<blockquote type="cite" cite>This might be what you are looking
for:<br>
<br>
m{(^([a-zA-Z]:)?|[/\\])\.\.[/\\]?}<br>
<br>
The first bit is to prevent windows users from doing c:../whatever<br>
or unix folk from starting with a ..<br>
<br>
It may not exactly work, but I can't test it to make it work.<br>
<br>
Robert (gr0tus)<br>
<br>
<br>
<br>
<br>
------------------------ Yahoo! Groups Sponsor
---------------------~--><br>
Sponsored by VeriSign - The Value of Trust<br>
When building an e-commerce site, you want to start with a<br>
secure foundation. Learn how with VeriSign's FREE Guide.<br>
http://us.click.yahoo.com/kWSNbC/XdiDAA/yigFAA/rIp0lB/TM<br>
---------------------------------------------------------------------<span </span>~-><br>
<br>
To unsubscribe from this group, send an email to:<br>
slimp3-dev-unsubscribe-***@public.gmane.org<br>
<br>
 <br>
<br>
Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/ </blockquote>
<div><br></div>
</body>
</html>