Re: Re: Making webpages from a single CGI

The following works fine if the request is something like http://foo.com/bar.cgi?baz=image.jpg

What if the request is something like http://www.cheese.com/foo?file=image.jpg%22%3E%3C!--%20#include%0Afile=%22/etc/passwd%22--%3E%3Cspan%20id=%22foo

Alright, I'm picking on you for comments like "This never works" and "Just for fun". If you're not sure what something does, please find out before you recommend it to someone else.

Using CGI.pm will not fix the exploitish URI above, though it will prevent you from hand rolling form parsing code. Reading through perldoc perlsec won't automatically fix the potential security hole, but it will help you think in terms of how to minimize the risk. ©

Comment on Re: Re: Making webpages from a single CGI Download Code

Replies are listed 'Best First'.
Re: Re: Re: Making webpages from a single CGI by Anonymous Monk on Oct 04, 2001 at 05:36 UTC
Actually, I was attempting to stick with his original code and comments, as well as his original request. Yes obviously there is more to parsing query strings, and that should be something he investigates. I was just attempting to fix what he had already written	[reply]
Re: Re: Re: Re: Making webpages from a single CGI by strfry() (Monk) on Oct 05, 2001 at 16:26 UTC
hmm, you could make a great big comment showing him the error of his ways, eg: # USED FROM CGI.pm - Read it, `use` it, love it! and then proceed to cut/paste the code you'll need from CGI.pm. On occasion, we don't want to `use` those modules which are there to make our lives easier; but there's no point in re-writing the code you would* want to use. In fact, if it's just for learning purposes, what better code is there to use as an example than something tried and tested. (I learned more from doing things like that than I'd ever expected) But that's just my $0.02. *NOTE: if you decide to do that, now or later, and actually plan on implementing it, be certain you understand what you're pasting, and (sometimes) more importantly what you're not pasting, that you might need. good luck, strfry()	[reply] [d/l] [select]