I'm working on the second lesson of my
online CGI course and ran into a bit of a stumper.
I'm demonstrating why most alternatives to CGI.pm fail on file uploads and I use the following script to show the contents of <STDIN> following the browser POST:
#!c:/perl/bin/perl.exe -wT
use strict;
my $buffer;
read (STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
print "Content-type: text/plain\n\n";
print $buffer;
Now generally, if the Content-type is test/html, this represents a security hole as some user could enter a dangerous SSI (e.g.
<!--#exec cmd="/bin/rm -fr"-->). If the Web server is configured to allow SSI interpretation in CGI scripts, you've just had a bunch of files wiped out with that. However, if the Content-type is text/plain, do the servers ignore SSI? If it is in any way possible for such an SSI to be entered in such a script, I would like to include that in one of my "Security Checkpoints."
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just go the the link and check out our stats.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.