Re: Re: Allow User to Select Which Files to Delete

Ok, I got your code to work by checking for tainted data. Can you take a look at the reg expressions that I used - is what I did secure enough? The main perl script that I am trying to create is a simple web page creation program that will allow users to create their own pages. I'm using a scalar called $drt to pass on the value of what ever user might be uploading files or deleting them. so for example in this line of code: my @files=glob("/Library/WebServer/Documents/userpages/$drt/*.*"); I'm passing the folder name of one of the users (bob_jones or whatever). Is this a bad way to do things? I have also checked for tainted data on this scalar -- does my regex make sense for this? Overall what can I do to make all of this more secure? Also one last thing. I need to be able to print out all the files in the directory that I am deleting from so users can select them properly. However with the glob function is prints out the whole path - how can I just print out the file names? Thanks in advance. Here's the code


####
# Delete File
####

sub delete_file {

my $query;
# check for tainted data
my $files = $q->param( "files") || error( $q, "couldn't read File valu
+es");
$files =~ /^([\/.\w.]+)$/;
# The "untainted" file is now in $1
$files = $1;
die "Bad filename" unless $files;

print<<HTML;
<html>
<head>
        <meta http-equiv="content-type" content="text/html;charset=ISO
+-8859-1">
        <title>Upload - File Deleted</title>
    </head>

    <body bgcolor="#ffffff">
    <form action="upload.cgi" Method="post" ENCTYPE="multipart/form-da
+ta">
    <P>File(s) Have Been Deleted:
    <INPUT TYPE="HIDDEN" NAME="drt" VALUE="uploads2">
    <br>
HTML


foreach ($q->param("files")){
unlink($_);
}

print<<HTML;

                <br>
                <INPUT TYPE="submit" NAME="action" VALUE="Back To Main
+">
    </FORM>
        <p></p>
<!-- trying to get dir_files to print here -->
HTML


}

#### end of delete file

####
# Get File List
####

sub get_file_list {

my $drt = $q->param( "drt") || error( $q, "couldn't get drt value");
$drt =~ /^([\w.]+)$/;
# The "untainted" file is now in $1
$drt = $1;
die "Bad filename for value drt" unless $drt;

#opendir(DIR,$dfiles);
#my @files = grep { $_ ne '.' && $_ ne '..' } readdir(DIR);
#closedir(DIR);

my @files=glob("/Library/WebServer/Documents/userpages/$drt/*.*");

print<<HTML;
<html>
    <head>
        <meta http-equiv="content-type" content="text/html;charset=ISO
+-8859-1">
        <title>Upload - Delete Files</title>
    </head>
    <body bgcolor="#ffffff">
    <form action="upload.cgi" Method="post" ENCTYPE="multipart/form-da
+ta">
    <P>List of Files:
    <br>
    <INPUT TYPE="HIDDEN" NAME="drt" VALUE="uploads2">
HTML

foreach (@files) {
print "<br> Delete this File: $_ <INPUT TYPE=\"checkbox\" NAME=\"files
+\" VALUE=\"$_\">\n";
}

print<<HTML;
                <br>
                <br>
                <INPUT TYPE="submit" NAME="action" VALUE="Remove File(
+s)">
    </FORM>
HTML

}

### end of get file list
[download]

Comment on Re: Re: Allow User to Select Which Files to Delete Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re: Allow User to Select Which Files to Delete by fuzzysteve (Beadle) on Nov 19, 2001 at 16:51 UTC
well, glob olny returns the full path if you are doing a search with the full path. if you olny search for ., it will show you the current directory. Not useful until you use `chdir("/Library/WebServer/Documents/userpages/$drt/");` [download] to put you in the right place. Then you can use `glob(".");` [download] to get the files. remember to do this both in the deletion and the selection bit Alternitivly, get the length of /Library/WebServer/Documents/userpages/$drt/ and in the display section chop it off the front of the string `foreach (@files) { my $choppedstring=$_; substr($choppedstring,0,$length_of_dir)=""; print "<br> Delete this File: $choppedstring <INPUT TYPE=\"checkbox\" +NAME=\"files\" VALUE=\"$_\">\n"; }` [download] Usernames aren't a great idea to pass around (if people don't know what a vaild user name is, then thats another step they need to take in breaking your security), although I'm not sure what another solution is. as for the regex's, I'm not sure. They've never been a strong point for me.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Re: Allow User to Select Which Files to Delete
by fuzzysteve (Beadle) on Nov 19, 2001 at 16:51 UTC

chdir("/Library/WebServer/Documents/userpages/$drt/");
[download]

glob("*.*");
[download]

Alternitivly, get the length of /Library/WebServer/Documents/userpages/$drt/ and in the display section chop it off the front of the string

foreach (@files) {
my $choppedstring=$_;
substr($choppedstring,0,$length_of_dir)="";
print "<br> Delete this File: $choppedstring <INPUT TYPE=\"checkbox\" 
+NAME=\"files\" VALUE=\"$_\">\n";
}
[download]

[reply]
[d/l]
[select]