On Mon, 11 Jul 2005, Ron Smith wrote:
> Insecure dependency in open while running with -T switch at
> C:/www/cgi-bin/upload_save.cgi line 42.
What do you see on line 42?
It seems to be in Store_Results():
> sub Store_Results{
> my $data;
> my $mime = uploadInfo($file_name)->{'Content-Type'};
> open (STORAGE, ">$directory/$file") or die "Error: $directory/$file: $!\n";
> # line 42<======
> if ($mime !~ /text/) {
> binmode ($file_name);
> binmode (STORAGE);
> }
> while (read($file_name, $data, 1024)) {
> print STORAGE $data;
> }
> close STORAGE;
> }
In other words, it chokes when you try to write to the dynamically
selected file, $directory/$file.
Unfortunately, this is exactly the sort of thing that taint mode is
supposed to be catching. Read the perldoc on it for details:
>From the command line, if available:
$ perldoc perlsec
Or read it from perldoc.perl.org:
<http://perldoc.perl.org/perlsec.html>
Hope this helps clarify things.
* ** *** ***** ******* *********** ************* *****************
On an entirely unrelated note, if you get in the habit of consistently
indenting your code now, you'll be *much* happier a year or five from
now when you're trying to maintain code you wrote when you started out.
A good indenting style -- the details of how you choose to indent don't
matter nearly as much as the fact that you do so consistently -- should
make the structure of your code much easier to grasp at a glance. Here's
how I might have written the subroutine in question:
sub Store_Results{
my ( $file_name, $directory, $file ) = @_;
my $data;
my $mime = uploadInfo($file_name)->{'Content-Type'};
open (STORAGE, ">$directory/$file")
or die "Error: $directory/$file: $!\n"; line 42<======
if ($mime !~ /text/) {
binmode ($file_name);
binmode (STORAGE);
}
while (read($file_name, $data, 1024)) {
print STORAGE $data;
}
close STORAGE;
}
Note also that I explicitly pulled in arguments, rather than using
globals. This will mean changing the sub call to
Store_Results( $file_name, $directory, $file );
but writing it that way will also just serve to clarify things and make
it easier to maintain the program when you look at it again years later.
* ** *** ***** ******* *********** ************* *****************
You don't have to follow the details of how I'm doing this if you don't
want to, but at least choose some conventions and stick to them. Doing
so will, I promise, save you headaches in the long run :-)
--
Chris Devers
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
