in reply to Creating dynamically named CGIs

Danger Will Robinson!

Make jolly sure that you are checking the contents of param('file'). In particular, make sure that data.cgi?file=../../../../../../etc/passwd does not output bad things to the user.

You may have done this already, or you may trust your authenticated users, but it never hurts to be careful... I have just been bitten in the ass by this, so I speak from bitter (in)experience!

dave hj~

Replies are listed 'Best First'.
Re: Re: Creating dynamically named CGIs
by ryan (Pilgrim) on Feb 13, 2002 at 15:01 UTC
    Yes, most definately, thanks for the reinforcement.

    Thanks to all who replied, most helpful, keeping to my usual style I normally post what I ended up doing and why:

    I've gone with the $ENV{PATH_INFO} idea, because the header stuff caused double prompts and general mess in IE, worked perfectly in Opera though.

    However, I'm not actually using the $ENV{PATH_INFO} contents, I'm just calling the CGI in that style and passing the required info via post such as below, 'run' is the CGI and 'cda' is an ExecCGI-d directory: 
    <form method="POST" action="/cda/run/surtron-020130-03.zip">
<INPUT TYPE="image" src="/images/icon-zip.gif" ALT="Download surtron-0
+20130-03.zip" BORDER="0">
<input type="hidden" name="mode" value="download">
<input type="hidden" name="file" value="surtron-020130-03.zip">
</form>

    [download]
    This is almost a shortcut I guess, looks neat from the client side and works well in all cases. As long as I check for tainted posts it seems to do what I want.

    Update:
    I have now changed the above so that the filename hidden field passes a database id instead of the actual filename to make it less h4x0rable.
[reply]
[d/l]

In Section Seekers of Perl Wisdom