Several points to consider:

1. You need taint mode, warnings and strict.
2. use Basename; that strips all path information besides the file name.
3. I hope you use CGI to read the form data.
4. What sort of authentication is providing the user name?

After Compline,
Zaxo

You are making a fine breeding ground for remote shell exploits if you are going to let users provide parts of the path. What happens if they put a pipe mark in there? Bad things, they can execute commands possibly.

If you really must, then perhaps you can make very sure that $username and $input{'file'} are less than say 10 characters, a..z inclusive only. Even better, scan the preset directory for files and just offer a list of files for them to select in a CGI form (see CGI.pm), instead of allowing them to create files. This way you never actually insert variables which came from the input form into your path. You also want to consider that this information is going over the network in plaintext, in fact if you use GET anyone can read it. And um, where's the password dude?

And of course you are giving a web-based program to edit a user's root directory which is also not a good idea in general and might not work without changing permissions. Much better that your program manages everything in one place, knows what it has, and only serves things to the person who has been authenticated to get them.

--Jim

if ($input{'file'} !~ /[^a-z0-9\.]/ && $input{'file'} !~ /\.\./) {
#CODE TO WORK IT ALL OUT
}
[download]

And just to answer a couple of questions asked of me:

• Yep, CGI reads in all my environment variables/form data
• Username is taken from a set cookie that verifies using username/encrypted password every visit to a member-only page.
• There are file uploads AND textarea editting. Limit already set to a smallish number
• And I forgot to mention: all CGI, etc. is disabled in the users' directories (so no perl scripts run, etc). Access to these user directories is purely open to all users (in these directories, I set Options +Indexes in case there is no index.htm(l))
• I understand that it would probably (okay, WOULD) be better to do this using FTP, but I don't have the privilege of doing this :)

Any other comments???

i wouldn't even do that. there's really no excuse for not using Taint mode if your script is opening files based on untrusted user input.

with taint mode you would do something like:

my $filename = "";
if($input{'file'} =~ /^(\w+\.?\w{2,4})$/) {
  $filename = $1;
} else {
   die "somebody is trying to do bad things";
}
# do stuff with $filename
[download]

the idea is to only allow as much as you absolutely need to. doing anything else essentially comes down to you trying to predict how someone will attack the script and specifically blocking those attacks. not good since it means you have to know every possible attack they might try. if you miss one thing, you're screwed. taint mode encourages you to only allow as limited a set of inputs as possible.

to be even more safe, you should probably use sysopen instead of open. if you're doing an "edit" of an existing file rather than creating a new one, you might also want to load the list of files that are in the directory into a hash and check that $input{'file'} actually matches one of them.

but the most important thing is to use taint mode. i would suggest that before you go live with this program (however you've implemented it), you read and understand every line of the perlsec manpage. it would also be illustrative to read about the poison NULL byte for an idea of how subtle the attacks can get and why it's not good to base your security on trying to anticipate them all.

anders pearson