Having trouble creating a text file

greymoose has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks,
I'm trying to write a cgi script to take data from a text input on an HTML form and (after a bit of manipulation) write it as a text file. After several hours of surfing and experimenting I don't think I'm getting any closer.
When I try to code it as per this mode it looks like this:

#Save the story to file
    open STORY,">$storyfile"|| die "Could not write to $filename\n";
    printf STORY $story;
    close (STORY);
[download]

$storyfile is the full path and filename for the new file, $filename is the filename on its own and $story is the content for the file. All of these are defined earlier in the script.
I end up with this error:
Insecure dependency in open while running with -T switch at /usr/lib/cgi-bin/upload.cgi line 33.
Line 33 is the second line posted above. I tried to sort out what this means and found several places that said this implied a permissions problem. I made sure everyone could write to the directory but still get the same result.
When I follow the advice in this thread my code looks like this:

    open(STORY,$storyfile)|| die "Could not write to $filename\n";
    printf STORY $story;
    close (STORY);
[download]

and I get this:
Could not write to 00041616l_k_j
00041616l_k_j is the filename less its suffix. I am having no problem opening similar files in the same directory for reading so I'm thinking I have missed out a step in the creation of a new file. Can anyone suggest what I may be doing wrong here?
Thanks for your help.

Comment on Having trouble creating a text file Select or Download Code

Replies are listed 'Best First'.
Re: Having trouble creating a text file by davido (Cardinal) on May 05, 2007 at 05:27 UTC
In your first snippet, one problem could be where "$storyfile" comes from. Is a portion of it coming from a source that taint mode would frown upon? That's my thought; that you'e accepting at least a portion of $storyfile from a source that could be considered tainted (or taintable). In your second snippet, you're not even opening the file for output; you're opening it for input. And "Could not write..." is fooling you; it's your own error message. It should actually say, "Could not read from..." (since you're opening the file for reading in that second snippet). And the reason it's failing to open for reading is probably that it doesn't exist yet since you haven't written it yet. By the way; use the three-arg version of open: `open STORY, '>', $storyfile or die .....` Oh, that reminds me of another problem; in your first snippet you're using the wrong "or"; since there aren't any parens around the open argument list, you need to use "or" instead of "\|\|", or else you get into precedence trouble. Dave	[reply] [d/l]
Re^2: Having trouble creating a text file by greymoose (Beadle) on May 06, 2007 at 23:56 UTC
Thanks davido, That was exactly the problem. When I went through and untainted the data from the form as part of the process it worked a dream.	[reply]
Re^3: Having trouble creating a text file by davido (Cardinal) on May 08, 2007 at 04:28 UTC
Just a few words of warning then; if data submitted via a web form is dictating a portion of the filename, you could have a security vulnerability, and the fact that you've subverted taint-checking on $filename doesn't necessarily mean it's safe. Tread carefully in these waters. Dave	[reply]
Re^4: Having trouble creating a text file by greymoose (Beadle) on May 08, 2007 at 05:47 UTC
Re^5: Having trouble creating a text file by davido (Cardinal) on May 09, 2007 at 04:18 UTC
Re: Having trouble creating a text file by FunkyMonk (Bishop) on May 05, 2007 at 08:42 UTC
In addition to what's already been written, in `open STORY,">$storyfile"\|\| die "Could not write to $filename\n";` Should it be `$storyfile` or `$filename`?	[reply] [d/l] [select]
Re^2: Having trouble creating a text file by greymoose (Beadle) on May 06, 2007 at 23:59 UTC
$filename is one of the strings concantenated to create $storyfile and is in turn made up of various bits of data from the initial HTML form. From memory, I think I used it here to make sure that $filename was working out correctly. Thanks for pointing it out.	[reply]
Re: Having trouble creating a text file by roboticus (Chancellor) on May 05, 2007 at 12:24 UTC
greymoose: Also, you might consider providing a format string for your printf, or changing it to a print. ...roboticus	[reply]
Re^2: Having trouble creating a text file by greymoose (Beadle) on May 07, 2007 at 00:00 UTC
Thanks roboticus, I didn't really need to use printf so I've followed your advice and resorted to plain old print.	[reply]