Re^7: CGI-Upload / Bad File Number

Replies are listed 'Best First'.
Re^8: CGI-Upload / Bad File Number by Anonymous Monk on Jul 17, 2016 at 21:11 UTC
Hi, Regarding VarsAsHash , the \ operator returns references (see perlop), so \%hash is a reference to a %hash, `my $ref = \%hash; $ref->{key} = 'value';` see perlreftut#Making References , references quick reference, modern_perl_2016_a4.pdf page 56 regarding eval, classic post on the topic of letting user input create variables in your program, http://perl.plover.com/varvarname.html, varvarname2.html, varvarname3.html example of letting user-input rewrite your program `#!/usr/bin/perl -- #~ use strict; #~ use warnings; use CGI; my $query = CGI->new( { qw{ a a b b query BANANA s s z z } } ); my @names = $query->param; for( @names ){ $val = $query->param($_); eval "\$$_ = '$val';"; } __END__ Can't locate object method "param" via package "BANANA" (perhaps you f +orgot to load "BANANA"?) at - line 8.` [download] There is no more CGI object, only BANANA, and that is best case scenario, program stopping, `$val =~ s/'/\\'/gms;` isn't enough to protect against that, instead of a failing BANANA message it could have easily deleteAllMyFiles() or makeMeSuperuser or randomExploit() Yes, you could avoid random-code in $_ by removing all except a-z characters And escape all "dangerous" characters in $val with quotemeta But then random-input is still able to replace $query or any other variable in the program break it in unexpected ways Get yourself a copy of chromatics free e?book Modern Perl a loose description of how experienced and effective Perl 5 programmers work....You can learn this too. See also Learn Perl in about 2 hours 30 minutes and maybe PLEAC - Programming Language Examples Alike Cookbook And also Lexical scoping like a fox, Read this if you want to cut your development time in half! and understand that `strict` itself confers no benefits; The benefits come from avoidance of the bad practices forbidden by `strict` :) hehe, failing BANANA :D	[reply] [d/l] [select]
Re^9: CGI-Upload / Bad File Number by frnk (Novice) on Jul 18, 2016 at 10:50 UTC
I tried your example just to see what happens, but i can't find any strange behaviour. The code passes my whole script as a string without beeing executed. In the end it appears as a post on the message-board without any changes. I think the point is, that i use single-' characters. So no execution is performed. But i have to admit: In the current version it is possible to manipulate the execution by combinations of ' and \ chars or if \ is the last character at all. In this case, the evaluated string will look like this: `'foo\\'bar'` or like this: `'foo\';`. In the first case 'bar' will be executed, if it contains perl-code. (I tried this one `6\'+7+\'3`. so the evaluated string is `'6\\'+7+\\'3'`. The result was - as expected - '16'). To avoid this, i sometimes have to protect some \-characters by doubeling them, or simply remove every \-char followed by a '-char...	[reply] [d/l] [select]
Re^10: CGI-Upload / Bad File Number by Anonymous Monk on Jul 19, 2016 at 00:17 UTC
:) I tried your example just to see what happens, but i can't find any strange behaviour. so a taxi is on its way down the road driver asks passanger, where now? passanger says BANANA, and the cars wheel is replaced with a BANANA, and they crash and burn. Thats not strange? that is a feature to look for in a taxi? Same same `#!/usr/bin/perl -- #~ use strict; #~ use warnings; use CGI; my $query = CGI->new( { 'query; system q{echo deleting files}; $query +', 'BANANA', 'z','z' } ); my @names = $query->param; for( @names ){ $val = $query->param($_); eval "\$$_ = '$val';" or warn $@; } __END__ deleting files Can't locate object method "param" via package "BANANA" (perhaps you f +orgot to load "BANANA"?) at - line 8.` [download] Whoops, all the messages are lost ... is the data important? worth money? Red flags are red, where there is one, there are more ...	[reply] [d/l]