Loading ...
Sorry, an error occurred while loading the content.

1403Re: [soaplite] Re: Preventing package name traversal attacks

Expand Messages
  • Tom Mornini
    Apr 10, 2002
    • 0 Attachment
      On Wednesday, April 10, 2002, at 07:42 AM, Paul Kulchenko wrote:

      > --- "Randy J. Ray" <rjray@...> wrote:
      > > -> on_action(sub { die "Access denied\n" if $_[2] =~
      > /:|'/ })<BR>
      > >While looking into this last night, I was thinking that the
      > >on_dispatch() handler might be a better way to go-- it gets run
      > >earlier than the on_action() handler does. Plus, it seems to make
      > >more send to my (sleep-deprived) brain, since I would expect the
      > >on_action() hook to accompany an action that is taking place, not
      > >prevent one at the last minute. But I guess it's just a
      > >matter of taste, as to which you use.
      > That's true. Actual patch does it inside the handler, so you don't
      > need to do anything in your code.

      does that mean you agree that the immediate fix is:

      on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

      does on_dispatch receive the same parameter list as on_action?

      -- Tom Mornini
      -- InfoMania Printing and Prepress
      -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
    • Show all 6 messages in this topic