Safety of linking to a text file

MonkPaul has asked for the wisdom of the Perl Monks concerning the following question:

Hello once again,

I have a question about server security. At the moment i have a CGI script that allows a user to access a file stored on the server, but it is accessed by directly linking to the file so that it is opened in the current window. At the moment it doesnt allow any change to be conducted on the text file.

My question really is: Is this safe with regards to people getting access to the server information and can anybody edit any things stored within the directory on the server from the URL i provide. (I think this may be resolved with a GET requuest rather than a POST though im not too sure).

cheers,
MonkPaul

Comment on Safety of linking to a text file

Replies are listed 'Best First'.
Re: Safety of linking to a text file by ikegami (Patriarch) on Aug 16, 2005 at 14:23 UTC
A text file is no different than a .jpg for this purpose. If a .jpg is safe, so would a text file. Two tips: Make sure the user can't specify an arbitrary file name to view (by using either a relative or absolute path). If you redirect to the text file rather than printing it out in the CGI, ignore this because the web server handles checking paths and permissions. Make the file readonly (`chmod 0444 filename.txt`) to be safe.	[reply] [d/l]
Re^2: Safety of linking to a text file by MonkPaul (Friar) on Aug 17, 2005 at 18:47 UTC
Cheers my good man. In the way you said things, i should be ok with this as it stands. I think modding the file though would be a good idea after i have created it, though the user may use it as input later on in the same program, which may be a problem when im trying to write new data in. Hmmmmmmm...... some thinking required. cheers, MonkPaul	[reply]
Re: Safety of linking to a text file by ghenry (Vicar) on Aug 16, 2005 at 14:43 UTC
Check out Taint mode and @INC HTH Walking the road to enlightenment... I found a penguin and a camel on the way..... Fancy a yourname@perl.me.uk? Just ask!!!	[reply]
Re^2: Safety of linking to a text file by gellyfish (Monsignor) on Aug 16, 2005 at 15:03 UTC
I'm not quite sure how this relates to the OPs question, he is not talking about using or requiring a file so `@INC` doesn't come in to it, taint mode however might be useful if he was taking input from the user to specify which file to display but I am nto quite sure that this is the case. /J\	[reply] [d/l]
Re^3: Safety of linking to a text file by ghenry (Vicar) on Aug 16, 2005 at 15:23 UTC
I made the point for when/if he changes things, so the OP should read up on Taint mode for his own knowledge. But I take your points on board. Walking the road to enlightenment... I found a penguin and a camel on the way..... Fancy a yourname@perl.me.uk? Just ask!!!	[reply]
Re^4: Safety of linking to a text file by gellyfish (Monsignor) on Aug 16, 2005 at 15:25 UTC
Re^5: Safety of linking to a text file by ghenry (Vicar) on Aug 16, 2005 at 15:27 UTC