Image on web page

daynite has asked for the wisdom of the Perl Monks concerning the following question:

Hi all, I have a problem with Perl-CGI script. I tried to dislay image on webpage by receiving the image name from previouse page and i'm trying

the below script, but it is not working.......

Below is the image.cgi script,

#!/usr/bin/perl
use CGI;
use CGI::Carp;
use strict;
use constant BUFFER_SIZE => 4_096;
my $q=new CGI;
my $image = $q->param("photo");
use constant IMAGE_DIRECTORY =>"/var/www/cgi-bin/images";
my $buffer="";
my( $type )= $image =~/\.(\w+)$/;
$type eq "jpg" and $type ="jpeg";
print $q->header(-type => "image/$type", -expires =>"-1y");
binmode STDOUT;
local *IMAGE;
open IMAGE, IMAGE_DIRECTORY . "/$image" or die "Cannot open $image:$!";
while ( read (IMAGE, $buffer, BUFFER_SIZE) )
{
print $buffer;
}
close IMAGE;

It is working if i declare the image name directly ($image = "imag1.gif";). any one please fix this..

20090516 Janitored by Corion: Removed italic tags, as per Writeup Formatting Tips

Comment on Image on web page

Replies are listed 'Best First'.
Re: Image on web page by almut (Canon) on May 13, 2009 at 22:12 UTC
It is working if i declare the image name directly ($image = "imag1.gif";). So the first step to debugging the issue would be to print out the value of `$image` in the case that you retrieve it via `->param()`. And depending on the outcome of that check, decide where to dig deeper... Also, it's never entirely wrong to take a peek at the webserver's error log... (if you have access)	[reply] [d/l] [select]
Re: Image on web page by moritz (Cardinal) on May 13, 2009 at 22:36 UTC
Please never publish a script like that on the w-w-w, it allows an attacker to read arbitrary files from your hard disk (all those that are readable by the web server). (Consider `photo=../../../../etc/security/limits.conf` for example). the below script, but it is not working That's not an error description - in what way is it not working?	[reply] [d/l]
Re: Image on web page by oxone (Friar) on May 13, 2009 at 22:44 UTC
The previous post points you in the right direction as to your query, although you have a bigger problem in assuming that the "photo" param isn't going to be malicious. Consider what might be served back to the outside world if the "photo" param was '../../../../usr/mydata/private.txt' for example. You're creating a script which could potentially give read-access to any file on the server. As a first step, look up "taint mode" and turn it on!	[reply]