Here are a handful of the flaws of this code:
print "Content-type:text/html\n\n";\n\n is the incorrect header terminator. \r\n\r\n is usually closer, but I admit that I don't know the proper set of characters off-hand, because I never send them directly.
if ($ENV{'REQUEST_METHOD'} eq "GET") {Not technically incorrect, but there are HTTP verbs other than GET and POST.
read(STDIN, $request,$ENV{'CONTENT_LENGTH'})There's no sanitizing of the CONTENT_LENGTH variable, leaving this script wide open to a denial of service attack by either blocking and waiting for more input than is available, or eating up all of the memory if someone sends a long stream of garbage. (I'm not positive that everything is vulnerable to the blocking attack.)
@parameter_list = split(/&/,$request);; is also a key/value pair separator in HTTP.
$name =~ s/%([0-9A-F][0-9A-F])/pack("c",hex($1))/ge;I believe there's a flaw in here related to invalid hex values, but I can't prove it right now.
$passed{$name} .= ":$value";This makes no sense. I've used the colon in both keys and values before. An earlier version of similar code at least used null bytes; that seemed somewhat more sane.
In reply to Re^2: get parameter from html page
by chromatic
in thread get parameter from html page
by pritoshpandey
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |