Revision as of 07:11, 7 July 2021 edit Tea2min (talk \| contribs) Extended confirmed users, Pending changes reviewers 21,978 edits Split ot "Notes" section. ← Previous edit		Revision as of 18:18, 18 September 2021 edit undo Luckyclover44 (talk \| contribs) 250 edits m →Path traversal prevention: Fixed spelling Tag: Visual edit Next edit →
Line 72: For example, consider a script that fetches an article by taking a filename, which is then read by the script and [[Parse\|parsed]]. Such a script might use the following hypothetical URL to retrieve an article about [[dog food]]: <nowiki>https://www.example.net/cgi-bin/article.sh?name=dogfood.html</nowiki> If the script has no input checking, instead trusting that the filename is always valid, a [[malicious user]] could forge a URL to retrieve configuration files from the ~~webserver~~web server: <nowiki>https://www.example.net/cgi-bin/article.sh?name=../../../../../etc/passwd</nowiki> Depending on the script, this may expose the [[Passwd#Password file\|/etc/passwd]] file, which on [[Unix-like]] systems contains (among others) [[User identifier (Unix)\|user IDs]], their [[Username\|login names]], [[home directory]] paths and [[Operating system shell\|shells]]. (See [[SQL injection]] for a similar attack.)

Secure coding: Difference between revisions