http://qs1969.pair.com?node_id=92944


in reply to Not Strictly A perl question.

It's Perl enough for me. I'm a bit tired so you don't get the full answer, but here's the quick rundown.

When you put a link in a webpage, the browser loads the HTML, then loads the images as if you were following links to the images. In short, an <img src="lalala"> tag acts exactly like a <a href="lalala"> tag. There is no problem at all with having the target of a img tag being a cgi.

So your img tag becomes <img src="image_server.pl?image=goodpic.jpg>.

The CGI becomes:

#!/usr/local/bin/perl -w use CGI qw/:all/; my $query = CGI::new(); my $file = $query->param("image"); open ( IMAGE, $file ); while ( <IMAGE> ) { print $_; } exit ;

You are on the right track. A lot of sites have "image servers" - web servers that just host images. Cuts down the load on any one server. I'll let someone else shout about security, but consider what could happen if someone typed "image_server.pl?image=/etc/password" into their browser...

____________________
Jeremy
I didn't believe in evil until I dated it.

Replies are listed 'Best First'.
Re: Re: Not Strictly A perl question.
by Zaxo (Archbishop) on Jul 01, 2001 at 00:19 UTC

    I'll fill out some of the bits jepri left out

    As it stands the code has a classic cgi security hole. It trusts user input for file system locations (e.g. ?image=/etc/passwd). Here is a safer rewrite:

    #!/usr/local/bin/perl -wT use strict; use CGI qw/:all/; my %images = ( 'tophat'=> { 'path'=>"/usr/somewhere/way/out/of/reach/Top Hat.jpeg", 'mime'=>"image/jpeg"}, 'racecar'=> { 'path'=>"/usr/somewhere/way/out/of/reach/Bugatti.png", 'mime'=>"image/png"}, #etc... ); my $query = CGI::new(); my $file = $query->param("image"); $|=1; if (defined $images{$file}) { print $query->header({-type=>$images{$file}{'mime'}});} open ( IMAGE, $images{$file}{'path'} ); print while ( <IMAGE> ); close(IMAGE); } else { print $query->header({-type=>'text/html', -status=>"404 File Not Found"}); } exit ;

    This is a forgiving approach to bad input, more BOFHish to log and play games.

    After Compline,
    Zaxo