|
Re: File Naming
by jlp (Friar) on Aug 01, 2000 at 05:39 UTC
|
my $user = "User";
open(USER, ">$user.txt") || die "Can't create user file $user.txt: $!"
+;
print USER "foo";#user data goes here
This assumes you have the proper write permissions on your server of course. | [reply]
[d/l] |
|
|
| [reply]
[d/l] |
Re: File Naming
by fundflow (Chaplain) on Aug 01, 2000 at 06:47 UTC
|
If you want your web-site to stay up for more than a day,
don't forget to check the given user name to exclude users like
"/etc/passwd" etc.
HTH | [reply] |
Re: File Naming
by young perlhopper (Scribe) on Aug 01, 2000 at 07:50 UTC
|
The key here is to never ever ever EVER trust user input.
When you are programming CGI of any type you must look at
every piece of input and say "what's the worst possible thing
that a user could enter into this field, and how would I deal
with it?"
In short, Program defensively.
Mark | [reply] |
Re: File Naming
by Mork29 (Scribe) on Aug 01, 2000 at 09:03 UTC
|
Ok, my follow up question, how do i exclude only a single character from the username or password or any other fields. ie... don't let them put a / in the username? | [reply] |
|
|
sub secure_query
{
$_ = shift;
s/\-+(.*)/$1/g;
s/(.*)[ \t]+\-(.*)/$1$2/g;
tr/\$\'\`\"\<\>\/\;\!\|/_/;
return($_);
}#End secure_query
| [reply]
[d/l] |
|
|
This is probably a little simpler and a lot safer:
$had_bad_characters = $user =~ s/\W//g;
# Safer still (since what's defined as a 'word character' could change
+ based on locale/Unicode (?))
$user =~ s/[^a-zA-Z_-]//g; # Explicitely define what we want to ACCE
+PT as valid
Generally the secure approach involves defining what is acceptable and disallowing everything else, not trying to filter out what we know/anticipate to be bad, because stuff frequently slips through. | [reply]
[d/l] |
Re: File Naming
by Mork29 (Scribe) on Aug 01, 2000 at 07:05 UTC
|
<writes the word newbie on his forhead>
Explain why? Some type of exploit for "hackers" ?? | [reply] |
|
|
If you pass a string from a user directly to open, the person can run arbitray commands. The username ';rm nameofcgi.cgi;' for example will delete nameofcgi.cgi (on some platforms, anyways). Even if you prefix the filename with a directory, someone could use ../ to write to the directory of their choice, someone could use a \0 to prevent any appended string from being used in the filename (since the underlying C library will take the \0 to be end of string). In other words, you need to verify that the data the user has given you does not contain anything it shouldn't. You can use the -T switch (#!/usr/bin/perl -T) which will enable taint checking which will cause perl to stop when it encounters a potentially unsafe operation.
| [reply] |
