comment on

I've got a bunch of programs that handle a website I'm working on, one of which is a main "server" program. It basically gets a single parameter: page location (for example: http://.../serve.pl?page=/perl/index.html). This works very nicely.

Have you tried your script to see how ‘nicely’ it works with pages that aren't in your document directory. You don't want things like this to work:

http://.../serve.pl?page=/etc/passwd
http://.../serve.pl?page=../../../../../../etc/passwd

You'd improve security if you just passed in the basename of the file as the CGI parameter, with the path and extension being hardcoded in the Perl script and added there.

But even that may not be secure. Do not put your site live without checking the vulnerabilities mentioned in this Phrack article. This still applies even if you go for URL rewriting as suggested in other answers.

Smylers

In reply to Re: Minimizing paths? by Smylers
in thread Minimizing paths? by Anonymous Monk

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.