which means that your software is doing something good and right. You said earlier that you weren't yet worrying about security in your scripts... well, you should be happy that you're getting this error, then! It means that at least you have software looking out for your security.> Software error: > Insecure dependency in open while running setgid
Anyway, if you read perlsec, you'll find that this error is occurring because you're using tainted data--data that's coming from a source external to your program. This is a problem in a CGI environment, because you don't control the input to your script. And in fact, the example you use is a huge security hole.
To untaint your data, you can check run it through a regular expression that checks for safe characters, then grab the safe characters and use those for your filename. perlsec has this example:
So you can do something similar to your $nameoffile variable. Run it through a similar regular expression and then set it to $1.if ($data =~ /^([-\@\w.]+)$/) { $data = $1; # $data now untainted } else { die "Bad data in $data"; # log this somewhere }
Read perlsec so that you write secure code.
By the way, you also said this:
That code tries to call the param method on the $query object. You don't have a $query object defined, so you can't call a method on it. Just using> #By the way when I tried to use > #$nameoffile=$query->param('nameoffile'); it returned the > #error "..param must be part of some structure..."
like you are should work fine.param('nameoffile')
In reply to RE: RE: Opening a file error
by btrott
in thread Opening a file error
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |