in reply to issues displaying cgi script source?

Say, I notice that your submit-script has a problem that lets me write to any file on your hard drive. Fix that too. Also fix your scripts to use CGI instead of trying to parse stuff in %ENV and STDIN. Again, use taint on all of those. These are just some general comments on some specific problems I saw while looking at your code and some hints to techniques that will help you get rid of them.
  • Comment on Re: issues displaying cgi script source?

Replies are listed 'Best First'.
Re^2: issues displaying cgi script source?
by Elijah (Hermit) on Jul 06, 2004 at 22:32 UTC
    I locked down this script using some of the methods you suggested mbut was not able to use taint mode. I got the famous error saying it was too late for taint mode. I tried -wT, -Tw, -w -T, -T -w. The only way I could get taint mode to be used was envoke it via command line but this is not an option running the script over the web.

    I changed the two-arg-open call to a three-arg-open after your explanation. I had never considered the laziness of the two-arg implication function.


    www.perlskripts.com
[reply]
      #!/usr/bin/perl -wT

      Um... that should be enough. Are you using mod_perl instead of cgi? That would do that - you'd load -T during the startup.pl in your apache configration then.

[reply]
[d/l]
        Nope just using cgi. I was somewhat confused by the error also. Also if you would please email me with the details of what you found in the submit-source script at ziation@perlskripts.com. I see the section you are talking about and again I used a two-arg-open call but the target file to write too is not passed as a cgi perameter like in the previous script. I have only looked into it for about 10 minutes but cannot see a way to modify the target file path.

        www.perlskripts.com
[reply]
          A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom