in reply to Opening a file error

Ok, I took all your advice and tried to run it from the
shell (by writing in the params manually (yyy for filename)) and the script
work fine (creates the file i ask yyy.html)!!! But when I
run it from http (I added the use CGI::Carp qw
(fatalsToBrowser); line) it outputs the following error to
http:

// start

yyy.html
Content-type: text/html
Software error:
Insecure dependency in open while running setgid
at /dev/fd/6 line 63.
Please send mail to this site's webmaster for help.


//end

once again the script is:
**************************************
**************************************

#!/local/0/bin/perl
use CGI qw(:all);
use CGI::Carp qw(fatalsToBrowser);
print header;
.
..
...
$nameoffile=param('nameoffile');
#By the way when I tried to use
#$nameoffile=$query->param('nameoffile'); it returned the
#error "..param must be part of some structure..."
$myfilepath="$nameoffile".".html";
print "$myfilepath"; #good path returned to html

#http crashes here, unix prompt works fine
if (!(open (OUT, ">$myfilepath"))) { print "Error opening
file $myfilepath for writing."; exit 0; }

print "end\n"; #http never gets here

**************************************
**************************************

//none of the other shell debugging hints really apply
(like using $! for error) because script works great from
the shell.
Any ideas what this could mean anyone?

Replies are listed 'Best First'.
RE: RE: Opening a file error
by btrott (Parson) on Jun 10, 2000 at 11:03 UTC
    You're getting the error: 
        > Software error:
    > Insecure dependency in open while running setgid

    [download]
    which means that your software is doing something good and right. You said earlier that you weren't yet worrying about security in your scripts... well, you should be happy that you're getting this error, then! It means that at least you have software looking out for your security.

    Anyway, if you read perlsec, you'll find that this error is occurring because you're using tainted data--data that's coming from a source external to your program. This is a problem in a CGI environment, because you don't control the input to your script. And in fact, the example you use is a huge security hole.

    To untaint your data, you can check run it through a regular expression that checks for safe characters, then grab the safe characters and use those for your filename. perlsec has this example: 

        if ($data =~ /^([-\@\w.]+)$/) {
        $data = $1;                     # $data now untainted
    } else {
        die "Bad data in $data";        # log this somewhere
    }

    [download]
    So you can do something similar to your $nameoffile variable. Run it through a similar regular expression and then set it to $1.

    Read perlsec so that you write secure code.

    By the way, you also said this: 

        > #By the way when I tried to use 
    > #$nameoffile=$query->param('nameoffile'); it returned the
    > #error "..param must be part of some structure..."

    [download]
    That code tries to call the param method on the $query object. You don't have a $query object defined, so you can't call a method on it. Just using 
        param('nameoffile')

    [download]
    like you are should work fine.
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom