Turning off -T taint checking because your CGI script is too unsafe to run under taint mode reminds me of part two of the definition of
Ostrich from the
American Heritage Dictionary:
"One who tries to avoid disagreeable situations by refusing to face them."
If you insist on letting users give you filenames, at very least, use the three-argument version of open.
I seem to remember reading somewhere that .htaccess is not infallable as a security measure. I can't seem to find the link now though.
I still think you should give the user a filename list, and read which item they selected from the list, by some index value. That way you only pass index values as input from the CGI script, and then you look up what file that index pertains to, and open the file yourself. Such a setup eliminates any possibility of the user specifying a dirty filename.
Dave
"If I had my life to live over again, I'd be a plumber." -- Albert Einstein
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.