-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a perl cgi script I wrote to allow me to have large html files on my
web host without exceeding my storage quota.
I'd like it looked at, _I_ can no longer abuse it to run random commands or
go where I shouldn't, but that doesn't mean others can'.
Any other feedback would also be great.
#!/usr/bin/perl
#Let users transparently access files that are gzipped server-side
#Useful only to keep under my storage quota ;-)
my $in = $ENV{'QUERY_STRING'}; # Handle CGI calls
$in =~ s/\+/ /g; # Replace '+' with ' '
$in =~ s/%(..)/pack("c",hex($1))/ge; # Undo URL quoting
$in =~ s/\.\.//g; # Foil Nasty h4x0rz trying to desend
# directories
$in =~ s/\\//g; # There is no need for backslashes!
$in =~ s/\'//g; # prevent h4x0rz from
# running commands like
# zcat.cgi?file=foo.html.gz';rm -rf *'
my %data = split (/=/, $in); # Make an array
my $file = $data{'file'}; # get the name of the requested file
print "Content-Type: text/html\n\n";
# print `echo '$file'`; # debugging
print `zcat ~/WWW/'$file'`; # quotes prevent nastys.
- --
No Microsoft products were used in any way for the creation of this message.
PGP Public key at http://mother.com/~ryan/ryan_at_mother_dot_com.asc
It is also on the servers: Key ID 0x72177BC7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD4DBQE8cJ6cEd9E83IXe8cRAq5qAJ9+/mIZVuwdV/uCwIzU4Cz1/Kp3bQCYrHty
tRBI7Iewb8CvWNC/kQE2DA==
=WHOW
-----END PGP SIGNATURE-----
_______________________________________________
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech
