in reply to Re: directory list
in thread directory list

Ooops.
Well I'm not sure how much help jmac needed in the html department: 
use strict;
use CGI;
use CGI::Carp( 'fatalsToBrowser' );
use HTML::Entities;

my $q = CGI->new();

my $dir = '\images'; # or some other default.
chdir( $dir ) or die "Couldn't cd to '$dir', $!";

my @images = map {glob( "*.$_" )} qw( gif jpg jpeg tif xif bmp );
@images = map { encode_entities( $_ ) } @images;

print $q->header(), $q->start_html();
print $q->h1( "My Image files" );
print "\n<UL>\n";
print "<LI>${_}\n" for @images;
print "</UL>\n";
print $q->end_html();

[download]
UPDATE:
Rather then argue further with merlyn, I removed the user input part of my code. That's what I get for trying to add a little functionality... sigh.

Replies are listed 'Best First'.
RE: RE: Re: directory list
by merlyn (Sage) on Sep 21, 2000 at 02:09 UTC 
    my $dir = $q->param('imageDir') ?  
          $q->param('imageDir') :  
          '\images'; # or some other default. 
 
die "Illegal directory name '$dir'" unless -d $dir; 
chdir( $dir ) or die "Couldn't cd to '$dir', $!";

    [download]
    I'm not sure I'd ever install a CGI script that took an unrestricted directory name from a parameter! Danger, Will Robinson!

    -- Randal L. Schwartz, Perl hacker

[reply]
[d/l]
      I disagree. There is no danger in that script. Granted I didn't do much of a test, but at least I check that it is really a directory. How much damage can a script do trying to change directory and glob for known extensions? Not much. In fact the only "risk" I can see would be some one looking to see if given directories exist on your server. Not that big a deal. Nor would it take much to add a regex after the -d line to make sure the user supplied directory is sanctioned.

      Calm your alarms merlyn, they are not needed here.

[reply]
        One danger that occurs to me off the top of my head is "borrowing code". When we need to write a quick script, how often do we say "Oh! I have some code that will do that" and take that code and modify it. If I grab your code to make a list of all files and I don't realize it's insecure, I could be revealing information that I don't want to.

        Another issue would be with crackers. Part of their job breaking a system is to gather as much data as possible. With your script, they can test for any directory they want. That could be great information. Always give as little as possible and loosen up later.

        Cheers,
        Ovid

        In the jungle of the World Wide Web, the paranoid /(wo)?man/ is: defined $1 ? "queen" : "king" ;.

        Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

[reply]
        Sure there is. Suppose you have a directory of images that only registered users of your site should be able to see. You've just bypassed all your webserver's authentication and authorization mechanisms!

        And even if you, Adam, understand the limitations, you didn't document them, leaving the onlookers with a potentially dangerous security hole in their environment.

        No, I don't think I'm being an alarmist. What you posted is dangerous if cargo-culted. And believe me... it will end up where you least expect it.

        -- Randal L. Schwartz, Perl hacker

[reply]

In Section Seekers of Perl Wisdom