Re: Sendpage (Perl CGI) Remote Execution Vulnerability

From: Seth Arnold (
Date: 11/28/01

Date: Wed, 28 Nov 2001 12:59:30 -0800
From: Seth Arnold <>
Subject: Re: Sendpage (Perl CGI) Remote Execution Vulnerability
Message-ID: <>

On Wed, Nov 28, 2001 at 09:24:30AM +0000, John Imrie wrote:
> > $message =~ s/[^\w\s]//g;
> $message =~ s/[^A-Za-z0-9]//g;

Note that these two are almost identical in the default locale, but the
first version also allows whitespace (maybe useful :) and more
international-friendly characters such as: αξεοιαπ ....


"Soldiers quartered in a populous town will always occasion two mobs
where they prevent one. They are wretched conservators of the peace."
-- John Adams

Relevant Pages

  • Re: Is unicode.lower() locale-independent?
    ... but I was once irritated that the none-breaking space ... The NO-BREAK SPACE is treated as whitespace in the Python unicode ... the default "C" locale doesn't know ... What was the *real* cause of your irritation? ...
  • Re: Is unicode.lower() locale-independent?
    ... locale-independent casing functions. ... the default "C" locale doesn't know it ... that's printed as whitespace but not treated as it. ... transformation that one normally applies to database text is to remove ...