Re: Not my first program, but the first I'll share...

Please ignore my not using CGI.PMs HTML shortcuts, I'm still reading up on those.

It's fine to not use CGI.pm's HTML shortcuts, but seriously, consider using it to at least parse your input for you. It's pretty easy to generate HTML output on your own, but it's difficult to do a good job parsing CGI input.

Also, just for kicks and giggles, turn on -T (taint checking) by putting the -T on the shebang line just like you've done with -w. You'll find that you are actually doing something quite dangerous by accepting a filename and sending user input through the open command. You may think it doesn't matter much if the script is just for personal use. But if you put that script on your ISP or webhosting company's server, you are exposing the ISP/webhost to a serious security breech, and yourself, to a possible legal liability if they get attacked through your script.

Please read: use CGI or die;, and escaping filenames taken in via user input.

One alternative to taking user input for filenames is this:

Generate your own list of filenames by reading the target directory. Give the user a list of filenames, and let him select from that list. And don't accept the actual file name as an HTML parameter. Use a hash lookup table: A => file1.dat, B => file2.dat, etc. That way the input you get from your HTML form never directly finds its way into your open statement.

Dave

"If I had my life to live over again, I'd be a plumber." -- Albert Einstein

Comment on Re: Not my first program, but the first I'll share...

Replies are listed 'Best First'.
Re: Re: Not my first program, but the first I'll share... by Anonymous Monk on Oct 27, 2003 at 21:45 UTC
Yeah, that is exactly why taint protection isn't on.. I know it's dangerous to take the input that way. While the regex keeps all traditional '../' and such attacks from using the script, I decided to keep this one under a passworded folder on the server so it's harder to access.	[reply]
Re: Re: Re: Not my first program, but the first I'll share... by davido (Cardinal) on Oct 27, 2003 at 21:55 UTC
Turning off -T taint checking because your CGI script is too unsafe to run under taint mode reminds me of part two of the definition of Ostrich from the American Heritage Dictionary: "One who tries to avoid disagreeable situations by refusing to face them." If you insist on letting users give you filenames, at very least, use the three-argument version of open. I seem to remember reading somewhere that .htaccess is not infallable as a security measure. I can't seem to find the link now though. I still think you should give the user a filename list, and read which item they selected from the list, by some index value. That way you only pass index values as input from the CGI script, and then you look up what file that index pertains to, and open the file yourself. Such a setup eliminates any possibility of the user specifying a dirty filename. Dave "If I had my life to live over again, I'd be a plumber." -- Albert Einstein	[reply]
Re: Re: Re: Re: Not my first program, but the first I'll share... by pekkhum (Sexton) on Oct 27, 2003 at 22:39 UTC
I've been trying to figure out how to do the filename list, problem is that I have two programs dealing with non-static data and one refers to this one useing basic links. I can't figure out how to interface the programs without mergeing them into one program. As a note so you can help me figure this out: My webserver has no .htaccess files. It doesn't allow for writing at all(a limit to my scripting) and it allows no access outside aliased directorys... Well, I can't say NO access... I'm sure there is soem glitch in it, but I can't even find it with my own scripts. Gotta get to school, hoping for help with my security issue when I return...	[reply]