Re: issues displaying cgi script source?

Your script contains a security hole. The value of ( param() )[0] is given directly to your two-arg-open() call. It looks like your -e test might be enough to prevent people from taking over your shell but it is at least giving the world access to read any file on your hard drive.

Please read perlsec, turn on tainting, and learn to use three-arg-open: open ..., "<", $full or die "Couldn't open $full for reading: $!"

Comment on Re: issues displaying cgi script source? Select or Download Code

Replies are listed 'Best First'.
Re^2: issues displaying cgi script source? by Elijah (Hermit) on Jul 06, 2004 at 21:37 UTC
I can see your concern but do not really see how anyone can read any file on my filesystem by this usage. Permissions will not allow for any privilaged file to be read by a webserver running as "nobody" or any other non-privilaged user. Not to mention the hard coded variable of $path which is not changeable by the user and is the entire first portion of the variable $full's value. If there is a way to break out of this directory with the current state of this script please be specific because I do not see it. I have read about the two and three arg open calls but do not see in this implementation how a three arg open call will help any. Now I am not saying it won't because I am the farthest thing from an expert but if it will please again be more specific. Edit: Ohh wait a minute! Oh crap I see it and tested it and yes you are correct. Big oversight on my part. Thanks for the heads up! Permissions do save me on privilaged files but there are some un-privilaged files Apache can read that people have no buisness looking at and can lead to further exploitation. www.perlskripts.com	[reply]
Re^3: issues displaying cgi script source? by diotalevi (Canon) on Jul 06, 2004 at 22:14 UTC
See about using File::Spec and functions like splitpath() or no_upwards(). Also, use the three-arg open because even if a user gives you a filename like " foo \|" or ">bar" then you are specifying the "action" part of the open separately. It tells perl that everything in the filename portion of the function is a filename and no part of that is to be interpreted specially.	[reply]