Re^2: Perl CGI - Viewing logfiles

You exactly got the issue I have. Your approach will work fine but for one issue bcoz of my requirement.

I have a softlink to the user directories under /usr/local/apache/htdocs as follows:-

wd -> /usr/local/wd/
[download]

Then, I build the link using the 'soft link', 'username' & 'log file name' and present it in HTML format.

One of the requirement is that I show the log files as 'links' in the HTML page so that the user can click and view the file(s), if they want to. Hence, I coded like what I had explained in the original post.

Is there any way to still have the files as 'links' and also take care of the security issue?

Comment on Re^2: Perl CGI - Viewing logfiles - Security Issues Download Code

Replies are listed 'Best First'.
Re^3: Perl CGI - Viewing logfiles - Security Issues by wfsp (Abbot) on Jan 10, 2007 at 18:02 UTC
"Is there any way to still have the files as 'links'..." You could consider linking to a CGI script similar to Melly's above. You could pass the script a query string identifying the particular log needed.	[reply]
Re^4: Perl CGI - Viewing logfiles - Security Issues by stumbler (Acolyte) on Jan 10, 2007 at 18:41 UTC
Thanks Melly and wfsp It works fine now without showing the 'softlinks' in the url after I used wfsp's suggestion. However, I will have to figure out a way to avoid the 'softlinks' to the user directories in Apache settings, which is still a potential security issue.	[reply]
Re^5: Perl CGI - Viewing logfiles - Security Issues by Melly (Chaplain) on Jan 10, 2007 at 19:09 UTC
The point is that you don't need the softlink - indeed, as long as you keep it, your security will be compromised. Get rid of it. My script, for example, runs with links like: `<a href="/cgi-bin/viewlogs.pl?log=1">Access log</a>` [download] Your links might look like: `<a href="/cgi-bin/viewlogs.pl?username=foobar">Foobar's log</a>` [download] Once more with feeling, your perl-script can access files that are not accessable to the web-server directly, and that is the way to keep content secure. `map{$a=1-$_/10;map{$d=$a;$e=$b=$_/20-2;map{($d,$e)=(2$d$e+$a,$e2 -$d2+$b);$c=$d2+$e2>4?$d=8:_}1..50;print$c}0..59;print$/}0..20` [download] Tom Melly, pm@tomandlu.co.uk	[reply] [d/l] [select]