Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: how to improve my script

by betterworld (Curate)
on Jun 15, 2009 at 13:27 UTC ( [id://771655]=note: print w/replies, xml ) Need Help??


in reply to how to improve my script

From looking at your code, it appears that it is vulnerable to directory traversal attacks. If someone requests URLs like "/../../../../../../etc/passwd", you happily deliver the system's user database.

Also I'd guess that you'll get a lot of warnings if a client terminates the connection without sending a request.

However I may be wrong; I did not run your code, I only had a look at it.

I realize that you are doing this only as an exercise, but I'd strongly recommend thinking about malicious input when writing networking software.

Replies are listed 'Best First'.
Re^2: how to improve my script
by afoken (Chancellor) on Jun 15, 2009 at 17:59 UTC

    I'm missing taint mode and any kind of input validation. I see code written in Perl4 style (&log(...)), I see repeated (hidden) stat calls (-e $DOCROOT.$uri, then -d $DOCROOT.$uri, then -f $DOCROOT.$uri), I see open where stat is sufficient (# open $f to get its modification time). And I'm sure perlcritic would find a lot more than this.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://771655]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others admiring the Monastery: (4)
As of 2024-04-19 06:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found