running a perl program from a cgi webpage

Becky has asked for the wisdom of the Perl Monks concerning the following question:

I have a perl program which works perfectly when I run it from the command line with invocation arguments, but when I try to pass in the invocation arguments via a cgi web form, no output file is created, even though the cgi script works. The last line of the cgi script is: system "/var/www/perl/cgi_classification.pl $outfile $input_sequence $name"; The invocation arguments are all input by the user into the web form. The first bit of my perl script (cgi_classification.pl) is:

open OUTFILE, ">/var/www/data/$ARGV[0]" or die "cannot....";

I have made sure that the permissions for the data directory where I want to put the outfile are rwx for user, group and owner, and it works from the command line, so I'm assuming it's a security issue from web forms. What can I do to solve it?

Comment on running a perl program from a cgi webpage Select or Download Code

Replies are listed 'Best First'.
Re: running a perl program from a cgi webpage by Joost (Canon) on Jul 04, 2002 at 12:51 UTC
~~You will want to take a look at the docs for CGI especially the param() method.~~ Running a program via CGI is very different from running a program from command line, and also has much more security issues. ~~summary:~~ ~~`#!/usr/bin/perl -wT use CGI;`~~ ~~[download]~~ Update: After reading your post again, it seems your problem is indeed related to permissions. Make shure the files are writeable for the user the webserver is running as. Try checking the results of your `system` call like this: `system("command ...") == 0 or die "System error: $?";` [download] You could also take a look at the error logs and see the error code your script outputs. `-- Joost downtime n. The period during which a system is error-free and immune from user input.` [download]	[reply] [d/l] [select]
Re: running a perl program from a cgi webpage by mephit (Scribe) on Jul 04, 2002 at 17:23 UTC
I agree that there are security issues that need to be addressed here. One thing that I didn't see at that link that Joost mentioned here ('cause it's not really a CGI issue) is the use of `system`. The OP is using the single-argument form, with part of that argument taken directly from the form input. Bad Idea. Use the multiple-argument form of `system` after validating the form input, that each variable contains only data that's expected: `system ("/var/www/perl/cgi_classification.pl", $outfile, $input_sequen +ce, $name);` [download] This line looks hairy, as well: `open OUTFILE, ">/var/www/data/$ARGV[0]" or die "cannot....";` [download] I don't know whether `$ARGV[0]` is tainted, but I'd validate it before opening, anyway. `my $filename = $ARGV[0]; # Use whatever regex suits your needs. this is just an example. if ($filename =~ /^([\w]+\.[\w]+)$/) { $filename = $1; } else { # handle the error here }` [download] HTH -- There are 10 kinds of people -- those that understand binary, and those that don't.	[reply] [d/l] [select]
Re: running a perl program from a cgi webpage by amphiplex (Monk) on Jul 04, 2002 at 17:11 UTC
Make sure that all directories have at least the "x" bit set for the user running the webserver. Maybe /var/www/data is 777, but /var/www is 700 and belongs to root or something like this. ---- kurt	[reply]