The script you are talking about writes to the harddisk and does not read from it so "extracting the file" as you put it in your example is irrelevant. Furthermore both scripts have been fixed for two days now. Lastly I already tried to implement File::Spec two days ago. While I did not use splitpath I did try no_upwards() and this was not feasible for my usage.
The no_upwards method and your method (if it was applied to writing and not reading) both require the script to be able to write to the cgi-bin folder. Now I know you surely cannot be suggesting that! That would be the largest security hole I have heard of to date on this topic. The very nature of the script is it has to run in cgi-bin and write to a directory outside of cgi-bin.
You're offering this script for download as well.Again you are mistaken, if you are going to give advice make sure you have your facts straight first. I still am not positive what script you are talking about since your first post referenced a script that wrote to the filesystem and you tried to point out a security hole that did not exist in that script and now this post tries to tell me how to fix a read hole in another script that has been fixed for 2 days?
While it may not work for your machine, it may work elsewhere.The permissions on my machine are default therefore if it were to work on anyone elses machine they would purposely have to change the permission setting to allow all users on the system to be able to write to their home directory. If they did that then they deserve to be taken advantage of.
As I say the security hole you talked about does not exist but I made it more strict anyway.
In reply to Re^8: issues displaying cgi script source?
by Elijah
in thread issues displaying cgi script source?
by Elijah
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |