Re: Why aren't these equivalent?

That would happen for good reason if taint checking is on. See perlsec for an explanation of that. Looking in the error logs would also be helpful. Failing that, I'd double-check your assumptions.

I should note that it does not look like you're using strict.pm, and your printf is adding unnecessary complexity, that line is more clearly written as:

print "File to be deleted: [$fileName]\n";
[download]

(The quotes you have around $fileName now means that it already is being interpolated.)

Comment on Re: Why aren't these equivalent? Download Code

Replies are listed 'Best First'.
Re^2: Why aren't these equivalent? by Anonymous Monk on Jul 12, 2008 at 01:05 UTC
You are correct, tilly. I turned off taint checking and now the parameter passing method works. I'll have to look into this a little deeper, since taint checking seems to be something I want to have active. Thank you all for your quick responses!	[reply]
Re^3: Why aren't these equivalent? by massa (Hermit) on Jul 12, 2008 at 09:11 UTC
PLEASE COME BACK HERE don't, please, run CGIs without -T. As holli said below, someone will pass you "/etc/passwd" as a parameter and you will be hosed. you can unlink the file IIRC if you check it against a regex, like this: `unlink $1 if $fileName =~ /^(\.\.\/\.\.\/20\d{6}\.txt)$/;` [download] _without_ having to run it insecurely. as a plus, it will only remove the remove-able files. []s, HTH, Massa	[reply] [d/l]
Re^4: Why aren't these equivalent? by Anonymous Monk on Jul 14, 2008 at 19:06 UTC
Thank you for the advice, massa. I'm using the strict pattern matching that you suggested, modified for my specific application. There are other measures that would have to be defeated before someone could access this page, but I'll keep the taint checking too! It was very kind and generous of holli to offer to hack my site, but not necessary, thanks.	[reply]