Dr. Trigon wrote:
I would check
that xslt is only composed by alphanumeric
characters* and do something like "/home/drtrigon/xslt/" + xslt +
".xslt" (this ensures there's no ../ and doesn't contain \0)
I considered this solution, since it sounded to be very easy. BUT the
check for alphanum does exclude all files with '-' or '_'. Thus I
decided to use my proposal.
Heh, you could have added - and _ to the list of allowed characters
(that's why I pointed out *what* I wanted to protect from).
As far as I can see this does protect from
'../' and '\0' in the
path of the xslt file also - but please correct
me if I am wrong here (and you have a scenario where this breaks down).
Spelling out the list of allowed values is always safer, but it is
bothersome (I see you listed the folder instead).