Re: Re: Error using -T...

Line 88 is this:

require "$Page_Loc/$pg.conf";
[download]

It is basically just the "page" coding, the actual content is stored in a database. I am just pulling in the Perl syntax for that page, IF it exists:

if (-e "$Page_Loc/$pg.conf") {
# line 88 above ;o)
}
[download]

I guess, I MIGHT have to put them all into the main system, and just use the page names as sub routines, and run them when that page is called... Or is there a different way to avoid getting that error?

I am just not checking out that link the other person, Enlil I think, posted. Thanks everyone.

Richard

Comment on Re: Re: Error using -T... Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re: Error using -T... by Limbic~Region (Chancellor) on May 31, 2003 at 19:57 UTC
powerhouse, The problem is that you are requiring a file from tainted data. You will have to Untaint $pg first. I am not sure I would be doing it the same way you are if I was concerned about security. Cheers - L~R	[reply]
Re: Error using -T... by powerhouse (Friar) on May 31, 2003 at 20:01 UTC
What security gap do you see there? The file requires one written in the back end, and it does not reply upon anything passed in the browser, except a page, and it only uses that to see if it exists, and when it passes it to the subroutine to get the title and content, I do security checks and use placeholders. I don't really know what else to guard for. What are you thinking? thx, Richard	[reply]
Re: Re: Error using -T... by Limbic~Region (Chancellor) on May 31, 2003 at 20:05 UTC
powerhouse, The point to using Taint checking is to never allow your script to let data it obtains externally from escaping the program (as I pointed out in my first post). You are requiring a variable - that variable was obtained external to your program - this means that you will have to Untaint it before you use it. You really should look at perldoc perlsec as Enlil suggested. Cheers - L~R	[reply]