Mistake #1. I arrived at the solution by following
standard advice given regarding:
use CGI::Carp qw(fatalsToBrowser); which had I
known about when I originally wrote the application would
have immediately led me to the source of the problem (pun
intended).
I happen to be a sysadmin, so I can't blame not having access to the system logs because I did. Since I never received any error messages in the browser and the applications appeared to work despite the original problem I described, it never occurred to me to look in the logs.
Mistake #2. I relied on my memory of the steps I took to debug the problem (this was over 9 months ago) and thought that I had tested the query string by substituting "GET" for "POST". Apparently I hadn't because after I replied to hacker, I began second guessing myself and actually wrote some code to test it. Well, the whole TEXTAREA contents were displayed to browser location bar. I apologize for the mistaken assumption and realize that I should have gone back and retested my claim before making it.
Mistake #3. As Trimbach suggested, I was relying on a handrolled solution for retrieving CGI parameters. Well, actually I pieced together snippets I'd found from various sources and wrote my own sub. I actually was going to post a question about substituting my own code with CGI::import_names but after some research decided that I could figure that out on my own. Instead, I wrote the first post in this thread which has brought me back full circle.
In my previous applications I used the following code to assign my CGI params. I am already aware of how horrible this is, even though I thought at the time that I had insured the "untaintedness" of my data, I didn't realize the other implications (see this thread).
HTML:
CGI:<html> <form name="Survey" method="get" action="/cgi-bin/textarea.pl"> <table border=0 width="100%"> <tr><td><TEXTAREA NAME="xiv" ROWS="6" COLS="55" wrap="soft"></T +EXTAREA></td></tr> <tr><td><input type="submit" name="Submit" value="Submit"></td> +</tr> </table> </form> </html>
The problem is that if you comment out the line use CGI::Carp qw(fatalsToBrowser);, you don't get error messages to the browser, and since the $xiv assignment broke as demonstrated by fatalsToBrowser:use CGI; use CGI::Carp qw(fatalsToBrowser); doGetCGIvars(); print "Content-type: text/html\n\n"; # my $query = new CGI; # my $xiv = $query->param('xiv'); print "<html><body>\$xiv=$xiv</body></html>"; sub doGetCGIvars { ### for future revisions look into CGI::import_names my $VarName; my $query = new CGI; foreach $VarName ($query->param) { $assign = "\$$VarName = '" . $query->param($VarName) . "'"; &UnTaint($assign); ### print "$assign<br>"; eval($assign); } } sub UnTaint { my $test = shift; unless ($test =~ /^([^<]*)$/) { die "Couldn't untaint variable \$test:\n\n"; } }
$xiv has an undefined value.Software error: Substitution pattern not terminated at (eval 5) line 2. For help, please send mail to the webmaster (xxx@yyyyyyyyyy), giving t +his error message and the time and date of the error. Content-type: text/html $xiv=
--Jim
In reply to Re: (OT) TEXTAREA and the Single Quote
by jlongino
in thread (OT) TEXTAREA and the Single Quote
by jlongino
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |