--f5QefDQHtn8hx44O
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 07, 2002 at 12:51:43PM +0900, Wai-Sun Chia wrote:

> But there's a kludge; I can't seem to do a File.new as Ruby says it's a=
=20
> tainted operation; so I just do a .untaint on the argument...not very=20
> nice, unless someone can try to unkludge it...

Perhaps, you should not simply untaint it but do some testing against
"../"-attacks or like that.

-billy.

--=20
Meisterbohne       S=F6flinger Stra=DFe 100          Tel: +49-731-399 499-0
   eL=F6sungen       89077 Ulm                     Fax: +49-731-399 499-9

--f5QefDQHtn8hx44O
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9UPMOfBriNoqItSYRAiidAJ93bn7XSD0wRUm2PuOVuTEzi65GygCeLiyK
z0fySGfQ5oEzvp/pUn8j1xI=
=vXsG
-----END PGP SIGNATURE-----

--f5QefDQHtn8hx44O--
On Wed, Aug 07, 2002 at 12:51:43PM +0900, Wai-Sun Chia wrote:

> But there's a kludge; I can't seem to do a File.new as Ruby says it's a=
=20
> tainted operation; so I just do a .untaint on the argument...not very=20
> nice, unless someone can try to unkludge it...

Perhaps, you should not simply untaint it but do some testing against
"../"-attacks or like that.

-billy.

--=20
Meisterbohne       S=F6flinger Stra=DFe 100          Tel: +49-731-399 499-0
   eL=F6sungen       89077 Ulm                     Fax: +49-731-399 499-9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9UPMOfBriNoqItSYRAiidAJ93bn7XSD0wRUm2PuOVuTEzi65GygCeLiyK
z0fySGfQ5oEzvp/pUn8j1xI=
=vXsG
-----END PGP SIGNATURE-----