Sorry for the lack of security -- I was basing my file selection mechanism on the one that the original poster had been using.
I agree with you that it is rather unsafe. In fact, I would create a hard-coded (or read from a secure location on the local FS) list of all allowed files, and if the requested one doesn't match an item in the list, I would log the request and email the scriptadmin. Ricky -----Original Message----- From: Tillman, James [mailto:[EMAIL PROTECTED]] Sent: Monday 07 January 2002 11:20 AM To: Morse, Richard E.; 'Robert Davis'; [EMAIL PROTECTED] Subject: RE: Show perl source on web page > A slightly more trivial example would be this: > > #!/usr/bin/perl -w > use strict; > > print "Content-type: text/plain\n\n"; > my $fn = $ENV{'QUERY_STRING'}; > > my $opened = 1; > > open(my $in, "<", $fn) || ($opened = 0); > > if ($opened) { > while (<$in>) { > print $_; > } > } else { > print "Could not open requested script: $!\n"; > } > > __END__ I assume by "trivial", you mean "hack me, PLEEEEEEZ!" ;-) Please never, ever, on any server install a script that takes a full path to a file name and prints the source. It makes perl cgi coders look very, very bad. Please don't do that. Define a document root as a constant in your CGI code, accept only the filename (preferably only the basename, as you can append the .pl yourself) as the parameter, check for .. and other hacker tricks, and run in taint mode. jpt _______________________________________________ Perl-Win32-Users mailing list [EMAIL PROTECTED] http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users _______________________________________________ Perl-Win32-Users mailing list [EMAIL PROTECTED] http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users
