If i hardcode the values of dir and zip like this cd /dog/cat and unzip rat.zip they work just fine...I am really confused by this. cd and unzip are not built-in perl functions. As kyle suggested, you normally would do something like this:
The && is there to make sure that the unzip command is run only if the chdir succeeds.chdir($dir) && system("unzip", $unzip);
However, since you are using these commands in a CGI script, you need to take extra precautions to make sure that users cannot subvert your script to make it do something you don't want them to do. That means you have to validate the input to make sure it looks like what you expect it to look like. For example, I'm sure you don't want users to be able to chdir to just any directory and unzip just any file.
Perl has a nice feature called tainting which helps you keep track of user input which needs to be vetted before it can be passed on to commands like chdir and system. You can enable it using the -T switch in the she-bang line of your script:
When enabled, user input (like posted form data) will be marked as tainted, and if you try to pass the data directly to a command like chdir or system, perl will throw an exception. To untaint the data, you have to examine it with a regular expression:#!/usr/bin/perl -T
my $dir = $query->param('dir'); my $zip = $query->param('zip'); die "invalid dir" unless ($dir =~ m/^([a-zA-Z0-9]+)\z/); my $valid_dir = $1; # $valid_dir is untainted die "invalid zip file" unless ($zip =~ m/^([a-zA-Z0-9]+)\z/); my $valid_zip = $1; chdir($valid_dir) && system("unzip", $valid_zip);
In reply to Re: HTML Form and Perl
by pc88mxer
in thread HTML Form and Perl
by workman_m
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |