The command injection vulnerability has not been fixed in the create file function.

​

Please review the Defense section of the lesson and try again. Remember that using regular expressions to filter out dangerous OS injection syntax is hard to do correctly and not recommended. In some cases, regular expressions can be used to enhance security, but preventing a command injection is not one of them.

Instead, reference the given code examples to replace the vulnerable code with safer functions that are specifically designed to create files rather than execute arbitrary shell commands.

You can test if your patch works correctly by reattempting the Blind Injection exploit and entering test1; ping -i 1 -c 15 127.0.0.1 as the filename. If your patch works as expected, you should see multiple files created: test1;, ping, -i, etc.