File writing script (taint mode problem?)

beretboy has asked for the wisdom of the Perl Monks concerning the following question:

The following script is meant to write a file based on form input. The script works on the command line but not via CGI. I believe taint checking is to blame. As far a the security aspect this will only be used by me and be password protected so what is written is not a security concern.


#!/usr/bin/perl -w
use strict;

use CGI qw( param header);
$q = new CGI;

my $tela = $q->param('tela');
my $yoken = $q->param('yoken');

if ($tela eq undef) {
print header;
print <<SEIFORM;
<HTML>
<TITLE>seisei</TITLE>
<body bgcolor="black" background="line.gif" alink="#ff9900" link="#ff9
+900" 
vlink="#ff9900" text="#ff9900">
<form action="seisei.cgi" method="get" name="seisei">

Tela:<input type="text" value="wiki" name="tela" align="top" 
maxlength="25" size="77"><br>
<textarea name=yoken cols=70 rows=12>void</textarea>
<BR>
<input type="submit" value="kuppuku" align="middle">
</BODY>
</HTML>
SEIFORM
} else {
print header;
print <<SUCCESS;
<HTML>
<TITLE>daiseikou</TITLE>
<body bgcolor="black" background="line.gif" alink="#ff9900" link="#ff9
+900" vlink="#ff9900"
+ text="#ff9900">
<CENTER><H1>daiseikou</H1></CENTER>
</BODY>
</HTML>
SUCCESS
open(TELA, ">$tela.tela");
print TELA "$yoken";
print "$yoken";
}
[download]

Edit ar0n -- fixed

Comment on File writing script (taint mode problem?) Download Code

Replies are listed 'Best First'.
Re: File writing script (taint mode problem?) by kal (Hermit) on Jan 21, 2002 at 02:42 UTC
beretboy - please use code tags :) Going from your scratch pad, the problem is that you haven't defined $q, but you are using strict. Putting a 'my' in front of it (i.e., `my $q = new CGI;`) makes it work for me. Always check the webserver logs if you are able to - the error will usually be there. You can also use the 'FatalsToBrowser' setting - check the CGI.pm man page, for example.	[reply] [d/l]
Re: File writing script (taint mode problem?) by strat (Canon) on Jan 21, 2002 at 02:59 UTC
Try to test your perl-code in a shell with: `perl -cw myscript.pl` [download] That might tell you something about not having declared $q... Best regards, `perl -e "print a\|r,p\|d=>b\|p=>chr 3**2 .7=>t and t"`	[reply] [d/l] [select]
Re: File writing script (taint mode problem?) by chromatic (Archbishop) on Jan 21, 2002 at 11:44 UTC
For your next question, please provide the actual text of the error or warning you are receiving. Besides not declaring $q, you'll receive at least one warning about an undefined value in 'string eq'. Instead of comparing a value to undef, try: `if (! defined $tela) { # ... } else { # ... }` [download] Assuming you did leave off the -T flag (or that it's enabled in your webserver CGI association, your open call will fail. $tela will be tainted. Even so, you don't check the success or failure of the open command, which is a bad habit to cultivate. When run by a webserver, your program has different permissions than when run on the command line. Even if you fix the tainting, this may come back to haunt you. Do check perlvar.	[reply] [d/l]