add some security fixes
[spider.git] / perl / DXCommandmode.pm
index 4dbeb863c8ba784f8ee3b264eb4e507cfc4d0e5f..f5ef8e2808ba0a1b403610ed5245575013b93960 100644 (file)
@@ -439,7 +439,9 @@ sub run_cmd
        if ($cmd) {
                # strip out // and .. on command only
                $cmd =~ s|//|/|g;
-               $cmd =~ s|\.+|\.|g;
+               $cmd =~ s|\.+||g;               # no dots allowed
+               $cmd =~ s|^/||g;                # no leading / either
+               $cmd =~ s|[^-\w/]||g;   # and no funny characters
                                        
                my ($path, $fcmd);