Re^8: CGI-Upload / Bad File Number

Hi,

Regarding VarsAsHash , the \ operator returns references (see perlop), so \%hash is a reference to a %hash, my $ref = \%hash; $ref->{key} = 'value';

see perlreftut#Making References , references quick reference, modern_perl_2016_a4.pdf page 56

regarding eval,

classic post on the topic of letting user input create variables in your program, http://perl.plover.com/varvarname.html, varvarname2.html, varvarname3.html

example of letting user-input rewrite your program

#!/usr/bin/perl --
#~ use strict;
#~ use warnings;
use CGI;
my $query = CGI->new( { qw{ a a b b query BANANA s s z z } } );
my @names = $query->param;
for( @names ){
    $val = $query->param($_);
    eval "\$$_ = '$val';";
}
__END__
Can't locate object method "param" via package "BANANA" (perhaps you f
+orgot to load "BANANA"?) at - line 8.
[download]

There is no more CGI object, only BANANA, and that is best case scenario, program stopping,

$val =~ s/'/\\'/gms; isn't enough to protect against that,

instead of a failing BANANA message it could have easily deleteAllMyFiles() or makeMeSuperuser or randomExploit()

Yes, you could avoid random-code in $_ by removing all except a-z characters

And escape all "dangerous" characters in $val with quotemeta

But then random-input is still able to replace $query or any other variable in the program break it in unexpected ways

Get yourself a copy of chromatics free e?book Modern Perl a loose description of how experienced and effective Perl 5 programmers work....You can learn this too.

and maybe PLEAC - Programming Language Examples Alike Cookbook

And also Lexical scoping like a fox, Read this if you want to cut your development time in half! and understand that strict itself confers no benefits; The benefits come from avoidance of the bad practices forbidden by strict :)

hehe, failing BANANA :D

Comment on Re^8: CGI-Upload / Bad File Number Select or Download Code

Replies are listed 'Best First'.
Re^9: CGI-Upload / Bad File Number by frnk (Novice) on Jul 18, 2016 at 10:50 UTC
I tried your example just to see what happens, but i can't find any strange behaviour. The code passes my whole script as a string without beeing executed. In the end it appears as a post on the message-board without any changes. I think the point is, that i use single-' characters. So no execution is performed. But i have to admit: In the current version it is possible to manipulate the execution by combinations of ' and \ chars or if \ is the last character at all. In this case, the evaluated string will look like this: `'foo\\'bar'` or like this: `'foo\';`. In the first case 'bar' will be executed, if it contains perl-code. (I tried this one `6\'+7+\'3`. so the evaluated string is `'6\\'+7+\\'3'`. The result was - as expected - '16'). To avoid this, i sometimes have to protect some \-characters by doubeling them, or simply remove every \-char followed by a '-char...	[reply] [d/l] [select]
Re^10: CGI-Upload / Bad File Number by Anonymous Monk on Jul 19, 2016 at 00:17 UTC
:) I tried your example just to see what happens, but i can't find any strange behaviour. so a taxi is on its way down the road driver asks passanger, where now? passanger says BANANA, and the cars wheel is replaced with a BANANA, and they crash and burn. Thats not strange? that is a feature to look for in a taxi? Same same `#!/usr/bin/perl -- #~ use strict; #~ use warnings; use CGI; my $query = CGI->new( { 'query; system q{echo deleting files}; $query +', 'BANANA', 'z','z' } ); my @names = $query->param; for( @names ){ $val = $query->param($_); eval "\$$_ = '$val';" or warn $@; } __END__ deleting files Can't locate object method "param" via package "BANANA" (perhaps you f +orgot to load "BANANA"?) at - line 8.` [download] Whoops, all the messages are lost ... is the data important? worth money? Red flags are red, where there is one, there are more ...	[reply] [d/l]