Re: HTML Template

You also have a possible exploit waiting to happen (although, imo, the risk in this case is pretty small):

$yeardir=$ENV{'QUERY_STRING'};
...
opendir(DIR, "d:/wwwroot/CalvaryBaptist/Sermons/".$yeardir);
[download]

$yeardir is unsanitized, meaning that an external user (the person controlling the web browser), is able to specify any directory on your D: drive to search. The risk is mitigated somewhat because you are searching for stuff that ends in .wmv. However, if there are other protected directories containing wmv files that the general user should not have access to, that protection could be bypassed here. In general, you want to sanitize your inputs from untrusted sources.

--MidLifeXis

Comment on Re: HTML Template Select or Download Code

Replies are listed 'Best First'.
Re^2: HTML Template by raptorsoul (Novice) on May 10, 2015 at 05:36 UTC
Since I am unskilled in Perl as I said before, would you be able to suggest a solution to "sanitize" this line of code?	[reply]
Re^3: HTML Template by afoken (Chancellor) on May 10, 2015 at 09:38 UTC
suggest a solution to "sanitize" this line of code `$yeardir=$ENV{'QUERY_STRING'}; ... opendir(DIR, "d:/wwwroot/CalvaryBaptist/Sermons/".$yeardir);` [download] Assuming year must be a four-digit number starting with 19, 20 or 21: `$yeardir=$ENV{'QUERY_STRING'}; $yeardir=~/^(19\|20\|21)[0-9]{2}$/ or die "Bad year\n"; ... opendir(DIR, "d:/wwwroot/CalvaryBaptist/Sermons/".$yeardir);` [download] Note that `or die` will cause a "500 Internal Server Error" when your script is called with an invalid number. You may want to generate a nicer error page instead: `$yeardir=$ENV{'QUERY_STRING'}; unless ($yeardir=~/^(19\|20\|21)[0-9]{2}$/) { print "Content-Type: text/plain\r\n\r\n"; print "Bad year."; exit; # <-- important. Don't run into the following code. } ... opendir(DIR, "d:/wwwroot/CalvaryBaptist/Sermons/".$yeardir);` [download] For a more robust solution, don't try to parse the CGI environment by yourself. There are tons of CGI modules on CPAN, CGI was in core for ages, but it is fat and full of legacy code. CGI::Minimal provides the essential parts, skipping generating HTML and much legacy code. CGI::Simple strips generating HTML and moves the functional interface into a separate module CGI::Simple::Standard, but attempts to stay compatible with CGI. CGI::Lite is yet another instance of "CGI without generating HTML". Modules compatible with the CGI API offer a method named `param()` that allows you to fetch parameter values from the query string. Also, consider `use strict;`, `use warnings;`, enabling taint mode (`#!perl -T`). Note that taint mode will cause your script to die when you attempt to pass unverified ("tainted") data to critical functions. You need to verify all data. See perlsec. You may also want to use CGI::Carp for a better error handling and autodie to have automatic error checks for the I/O operations. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]