Re: file download security

Warning: You have a whopping security hole in your script. Because you don't check that the user-supplied filename is safe, the user could use this script to open (and possible run) any file on your box that the script would have the rights to access.

As for your original question, you have a few options. The easiest is to allow basic authentication and require each user to login in before they can get to your cgi-bin. However, basic authentication sends the data "Base64" encoded, which is plain-text. If you need this secure, this is not a good solution.

You could build a simple password authentication application that controls access to the other applications, but that also won't be terribly secure unless you use SSL, which is really the only way you're going to get decent security. Incidentally, my cgi course has information for a simple authentication program in Lesson 4, part 2. In fact, after looking at your code, I think there are a few other pointers you might appreciate from that course (no offense!).

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on Re: file download security

Replies are listed 'Best First'.
Re: Re: file download security by jreades (Friar) on Apr 15, 2002 at 18:35 UTC
Isn't the fact that we have: `open(FILE "$filename")` another big one? (I'm getting back into Perl after a year of two of Java) `open(FILE "<$filename")` is a good idea to ensure that even if the user is able to access files that they shouldn't using this script, at least they can't replace foo.txt with my_evil_virus.txt. HTH	[reply] [d/l] [select]
Re: Re: Re: file download security by tachyon (Chancellor) on Apr 15, 2002 at 19:29 UTC
That is why the code is: `open FILE, "$filepath/$filename"; # so provided we hard code $filepath.... my $filepath = '/usr/somewhere'; # and untaint $filename ensuring there are no ../ etc, in it my $filename = $q->param('filename') \|\| ''; my ($filename) = $filename =~ m/^([\w.-]+)\z/; # then this is quite safe... open FILE, "$filepath/$filename" or die $!;` [download] As you rightly point out `open FILE, $file` where the user supplies $file and it is not untainted is dangerous as hell, see this for why cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l]
Re: Re: Re: file download security by tachyon (Chancellor) on Apr 16, 2002 at 14:01 UTC
BTW the hard coded < provides no protection. Beside the obvious fact that we only read from the file - not print to it consider `$filename = 'ls; cd /; rm -rf *'` You can satisfy the < easily with say ls then add a ; then go for your life.... The keys for security are 1) hard code the path; 2) untaint the filename so it can only contain `m/^[A-Za-z._-]+\z/` which stops the old `../../../etc/passwd` Setting taint mode with the -T flag will catch a lot of errors. Don't CGI without it. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l]