Re: CGI and security

Try putting this is your cgi script:

#!/usr/bin/perl

use CGI::Carp qw(fatalsToBrowser);

local $SIG{__WARN__} = \&Carp::cluck;
[download]

The most likely causes of file upload errors are (1) the upload directory is not mode 0777, or what is called World-Writable; and (2) you are trying to upload to the wrong location. You often need to check what is the absolute path to your upload directory on the server. Often these are aliased, but your server control panel should be able to say what the absolute pathname is to your home dir.

If you havn't discovered it on your own yet, try running this script to get your cgi info.

#!/usr/bin/perl  

# Don't buffer output
$| = 1;

# Ask for server name and information
chomp($hostname = `hostname`);
chomp($uname = `uname -a`);

# Ask system for user name
chomp($user = `/usr/bin/whoami`);

# Ask system for user id and group id for this user
($uid, $gid) = (getpwnam($user))[2, 3];

# Get path for sendmail program
chomp($sendmail = `which sendmail`);

#
# Generate the complete form
#
print "Content-type: text/html\n\n";

print qq(
<html>
<head>
<title>CGI Environment</title>
</head>

<body bgcolor="white">
<b>
Host name is $hostname.<br>
CGI programs execute as user $user ($uid, $gid).<br>
System description is $uname.<br>
</b>
<hr>

<h2 align="center">CGI Environment</h2>
<p>
<br>
SERVER_SOFTWARE = $ENV{'SERVER_SOFTWARE'}<br>
SERVER_NAME = $ENV{'SERVER_NAME'}<br>
GATEWAY_INTERFACE = $ENV{'GATEWAY_INTERFACE'}<br>
SERVER_PROTOCOL = $ENV{'SERVER_PROTOCOL'}<br>
SERVER_PORT = $ENV{'SERVER_PORT'}<br>
REQUEST_METHOD = $ENV{'REQUEST_METHOD'}<br>
HTTP_FROM = $ENV{'HTTP_FROM'}<br>
HTTP_ACCEPT = $ENV{'HTTP_ACCEPT'}<br>
HTTP_USER_AGENT = $ENV{'HTTP_USER_AGENT'}<br>
HTTP_REFERER = $ENV{'HTTP_REFERER'}<br>
PATH_INFO = $ENV{'PATH_INFO'}<br>
PATH_TRANSLATED = $ENV{'PATH_TRANSLATED'}<br>
SCRIPT_NAME = $ENV{'SCRIPT_NAME'}<br>
QUERY_STRING = $ENV{'QUERY_STRING'}<br>
REMOTE_HOST = $ENV{'REMOTE_HOST'}<br>
REMOTE_ADDR = $ENV{'REMOTE_ADDR'}<br>
REMOTE_USER = $ENV{'REMOTE_USER'}<br>
REMOTE_IDENT = $ENV{'REMOTE_IDENT'}<br>
AUTH_TYPE = $ENV{'AUTH_TYPE'}<br>
CONTENT_TYPE = $ENV{'CONTENT_TYPE'}<br>
CONTENT_LENGTH = $ENV{'CONTENT_LENGTH'}<br>
<p>
<hr>
<p>
<h2 align="center">Complete Environment</h2>
);

foreach $key (sort keys %ENV)
{
    print "$key = $ENV{$key}<br>\n";
}

print qq(
<h2 align="center">System Programs</h2>
Sendmail program path : $sendmail

</body>
</html>
);
[download]

I'm not really a human, but I play one on earth.
Old Perl Programmer Haiku ................... flash japh

Comment on Re: CGI and security Select or Download Code

Replies are listed 'Best First'.
Re^2: CGI and security by Anonymous Monk on Jul 12, 2012 at 11:27 UTC
`use CGI::Carp qw(fatalsToBrowser); local $SIG{__WARN__} = \&Carp::cluck;` [download] I tried putting this code. (I was looking for this piece of code. Thanks). It thrown this error "Software error: CGI open of tmpfile: Permission denied". On googling I found like CGI defaults the temp directory to /usr/tmp. Is there any way to override this temporary path.	[reply] [d/l]
Re^3: CGI and security by zentara (Cardinal) on Jul 12, 2012 at 14:59 UTC
It thrown this error "Software error: CGI open of tmpfile: Permission denied". The way I interpret that error, is that your file upload script dosn't have permission to write to the designated upload directory. This is usually because it is not mode 0777 or world-writable, which is needed by file uploads ( unless your apache server is using su-exec). You really should post a minimal running code example which fails, so we can see where your problems are. It is 99% probable that the problem IS NOT due to the CGI module. People successfully run http file uploads all the time, but you must have your file paths and permissions correct. Here is a simple upload script to test with. In your cgi directory, where you place this script, make a subdir called "uploads" and chmod it to 0777. Then run this script thru the browser. #!/usr/bin/perl use warnings; use strict; use CGI; use CGI::Carp 'fatalsToBrowser'; my $maxsize = 1024 * 100; #max 100K my $query = new CGI; my $upload_dir = "uploads"; #permissions for dir are set 0777 print $query->header(); if($ENV{CONTENT_LENGTH} > $maxsize){ print "file too large - must be less than $maxsize bytes"; exit; } my $file = $query->param("file"); my $filename = $file; $filename =~s/.[\/\\](.)/$1/; open (UPLOADFILE, ">$upload_dir/$filename") or die "$!\n"; $/= \8192; # sets 8192 byte buffer chunks, perldoc perlvar while ( <$file> ){ print UPLOADFILE $_; } close UPLOADFILE; print <<END_HTML; <HTML> <HEAD> <TITLE>Thanks!</TITLE> </HEAD> <BODY bgcolor="#ffffff"><br> <P>Thanks for uploading file : $filename!</P> </BODY> </HTML> END_HTML [download] I'm not really a human, but I play one on earth. Old Perl Programmer Haiku ................... flash japh	[reply] [d/l]
Re^3: CGI and security by Your Mother (Archbishop) on Jul 15, 2012 at 22:32 UTC
One side note: CGI::Carp::`warningsToBrowser` might be worth looking into.	[reply] [d/l]
Re^3: CGI and security by Anonymous Monk on Jul 12, 2012 at 11:32 UTC
On googling I found like CGI defaults the temp directory to /usr/tmp. Is there any way to override this temporary path. What does the CGI documentation say?	[reply]
Re^3: CGI and security by afoken (Chancellor) on Jul 14, 2012 at 05:07 UTC
CGI open of tmpfile: Permission denied Hoster error. Contact support. See also Re: On uploading a file. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply]