in reply to CGI module seems to eat html entities!

"The editor consists of a small form with a textarea and a submit button (oh and besides, for a little feeling of fake security, there is a password box :) )."

To me this sounds like a bad idea. Are you saying that if someone should stumble upon this page you have setup they could edit files on your webserver via a browser without having to provide any type of valid username/password?

If so I would re think that before worrying about anything else.

Martin
  • Comment on Re: CGI module seems to eat html entities!

Replies are listed 'Best First'.
Re^2: CGI module seems to eat html entities!
by muba (Priest) on Oct 03, 2005 at 14:16 UTC
    Oh no worries. The editor is made so, that it allows only files ending on ".htm". If any of "..", "/", or a null character occurs in the file requested for editting, it denies access. The password is hardcoded in the .pl-file (which name doesn't end on .htm so it can't be loaded in the editor) and the submitted password is compared to this one.

    What I just meant to say by 'little feeling of fake security' is that not everyone is easily abled to edit the files, but with a little bruteforcing I think the password is easily cracked :)
    But anyway, it is a temporary solution and I will delete the editor when the site update is finished.
[reply]
      It doesn't really sound like a great idea (html pages can contain various scripting languages that could do some harm to visitors to your site, or some terrorist organization could just take over pages for communications, etc. . . )

      It's your decision, I guess, if it's your web server. And at least you're aware that it's not real security.
[reply]

In Section Seekers of Perl Wisdom