in reply to Download, don't redirect.

One flaw I see here is you are not in taint mode. I'm not completely clear why you think that way is any better or safer (on its own) than using Location (or CGI.pm's redirect() method). In any case, without taint checking in your example, you are left open to ../../../../../etc/passwd being passed as the filename.

You mentioned that you attempt to do this when _you_ parse QUERY_STRING, but I wonder why you are doing this instead of using CGI.pm or CGI_Lite.

Replies are listed 'Best First'.
RE: RE: Download, don't redirect..
by BBQ (Curate) on May 22, 2000 at 07:12 UTC
    You're absolutely right. Why re-invent the wheel, right? Well, at the time I wrote the above, the wheel in question (CGI.pm) hadn't been written yet! ;)

    I guess that just goes to show how old this snippet is! But, I've found use for it on more that one occasion... The way I used to parse the query string used to be (and please, please, please don't try this at home kids!) was:
    sub ReadParse {
  read(STDIN, $buf, $ENV{'CONTENT_LENGTH'});
  @li = (split(/&/, $buf), split(/&/, $ENV{'QUERY_STRING'}));
  foreach my $input (@li) {
    $input =~ tr/+/ /;
    $input =~ s/%(..)/pack("C", hex($1))/eg;
    $input =~ s/\.\.\///g;
    ($name, $val) = split(/=/, $input);
    $name  =~ tr/A-Z/a-z/;
    $in{$name}=$val;
  }
}

    [download]
    Someone might even find THAT snippet of some interest... But as you can see from the above, the security risk of getting ../ in your file name was caught. Only God knows what other security risks could be involved nowadays!

    Thanks for the words of advice.
[reply]
[d/l]

In Section Cool Uses for Perl