I waited with posting this until you'd taken down your script, which it seems you've done now, because it contains at least one classic and major security issue: As I've described in my node here, allowing practically unfiltered user input to be used directly in backticks allows anyone to execute arbitrary shell commands on your server. (Not to mention the fact that this script is basically a proxy open to everyone, which is an issue by itself.)

For example, a QUERY_STRING of example.com%22%3Bcat+%22%2Fetc%2Fpasswd would have caused the script to execute the shell command wget ... "http://example.com";cat "/etc/passwd". I hope you see the major problem with that or any other arbitrary command.

I've also commented on your style of reinventing all the wheels before. I don't do this just for the sake of the criticism itself or because I want to discourage learning or take from any enjoyment you might get from writing code in this style - I'm very much a fan of TIMTOWTDI - and if you want to write these scripts like this for yourself, that's fine. But as soon as you put these into some kind of "production", what I've said before become real issues: the more code your write yourself, the more code you have to test and maintain*. (And for asking questions, it gives others much more code to wade through.)

And if you expose this to the world, there's the added issue of having much more code to secure properly. And with security issues, your site can quickly become the next spam relay or home for scammers, so it affects everyone.

If you're going to be putting stuff online like this, I implore you to use the proper modules and follow the best practices for security.

* Just for example, your sub unescape contains at least one bug: If the input string starts with a %HH encoded character, that is skipped, because my $i = index( $X, '%' ) >= 0 || return $X; doesn't actually get the index, $i will always be the return value of the logical expression. Every single one of your obfuscated subs has a corresponding function in a popular, well-maintained module, or in the Perl core itself.

In reply to Re: wget not working from perl by haukex
in thread wget not working from perl by harangzsolt33

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.