in reply to Re^2: Perl CGI - Viewing logfiles - Security Issues
in thread Perl CGI - Viewing logfiles - Security Issues

"Is there any way to still have the files as 'links'..."
You could consider linking to a CGI script similar to Melly's above. You could pass the script a query string identifying the particular log needed.
  • Comment on Re^3: Perl CGI - Viewing logfiles - Security Issues

Replies are listed 'Best First'.
Re^4: Perl CGI - Viewing logfiles - Security Issues
by stumbler (Acolyte) on Jan 10, 2007 at 18:41 UTC

    Thanks Melly and wfsp

    It works fine now without showing the 'softlinks' in the url after I used wfsp's suggestion.

    However, I will have to figure out a way to avoid the 'softlinks' to the user directories in Apache settings, which is still a potential security issue.

[reply]

      The point is that you don't need the softlink - indeed, as long as you keep it, your security will be compromised. Get rid of it.

      My script, for example, runs with links like:

      <a href="/cgi-bin/viewlogs.pl?log=1">Access log</a>

      [download]

      Your links might look like:

      <a href="/cgi-bin/viewlogs.pl?username=foobar">Foobar's log</a>

      [download]

      Once more with feeling, your perl-script can access files that are not accessable to the web-server directly, and that is the way to keep content secure.

      map{$a=1-$_/10;map{$d=$a;$e=$b=$_/20-2;map{($d,$e)=(2*$d*$e+$a,$e**2
-$d**2+$b);$c=$d**2+$e**2>4?$d=8:_}1..50;print$c}0..59;print$/}0..20

      [download]
      Tom Melly, pm@tomandlu.co.uk
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom