Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Code Viewer

by BigJoe (Curate)
on May 19, 2000 at 01:49 UTC ( #13136=sourcecode: print w/ replies, xml ) Need Help??

Category: file convertor
Author/Contact Info BigJoe email: big_joe1008@linuxstart.com
Description: This is a script that I put together for use on my source code page. This script then allows me to copy html and scripts into a dir and let people pick the ones they want to view and I don't have to set up a page for each. It does require a param sent to it by using ?html=filename.
Update 6/2/200 With the help of Fastolfe I have added some testing on the $in{html} to make sure it is not tainted.
#!/usr/bin/perl -w

require "../../cgi-lib.pl";

ReadParse(*in);

$openbr="<";
$closebr="&rt;";
# $listing=`./allhtml.pl`;  #this script outputs a list of all my html
              #files.
if($in{html){
if ($in{html} =~ /^([-\@\w.]+)$/) {
        $filename = $1;                
} else {
        die "Bad data in $in{html}";         
}    

open(LINKPAGE, $filename);
    $filesize = -s LINKPAGE;
    read(LINKPAGE, $wholepage, $filesize);

$wholepage=~s/</$openbr/g;
$wholepage=~s/>/$closebr/g;

print "Content-type: text/html\n\n";
print "<HTML><BODY><PRE>";
print "<FONT size = 5><Center>";
print $in{html};
print  "</Center></FONT><BR>";
print "$wholepage <BR><BR>";
}
print $listing;
print "<!--Written by Joseph Harnish--><A
HREF=\"http://www.csis.gvsu.edu/~harnisjl\">Big Joe
</A></PRE><BR><BR><BR>\n\n
<FORM NAME=\"myForm\" ACTION=\"html2code.pl\" METHOD=\"POST\">
<TABLE CELLPADDING=2 CELLSPACING=0>
<TR><TD WIDTH=50>File name:</TD><TD><INPUT TYPE=TEXT NAME=\"html\"
SIZE=\"30\"></TD></TR>
</TD>
<TR><TD COLSPAN=2><INPUT TYPE=SUBMIT VALUE=\"View\"></TD></TR>
</TABLE>
</FORM>
</BODY></HTML>";

close(LINKPAGE);

exit;

Comment on Code Viewer
Download Code
Replies are listed 'Best First'.
DANGER - MAJOR SECURITY ISSUES
by Fastolfe (Vicar) on Jun 03, 2000 at 01:31 UTC
    Please read the 'perlsec' man page.

    open(LINKPAGE, $in{html}); This is one of the worst things you can do in a CGI script. I can pass an argument of html=id;cat+/etc/passwd| to your script, or even more evilly, html=rm+-rf+/| or html=>/etc/passwd or all sorts of evil things.

    You should a) strip out any strange characters; b) verify that the item in $in{html} refers to a filename in an appropriate location; and c) open it with something like open(LINKPAGE, "< $in{html}");

    When writing CGI scripts, always keep perlsec in mind and always run with 'taint checking' enabled (-T). This would have spotted the fact that $in{html} is not safe to trust in critical calls like open() or system().

RE: Code Viewer
by KM (Priest) on Jun 03, 2000 at 04:38 UTC
    I won't tear the code apart, but I highly suggest you do NOT use cgi-lib.pl, but use CGI.pm instead. It does have a 'mode' where you can still use the methods from cgi-lib.pl.

    Also, there is a security concern here, as mentioned in another reply. Please take a look at perlsec, use -T (ALL CGI should use -T), and the Untaint.pm module on CPAN.

    Cheers,
    KM

RE: Code Viewer
by BBQ (Deacon) on May 25, 2000 at 06:58 UTC
    Humm... I didn't get part of the code. If you have:
    $openbr="<"; $closebr=">";
    and
    $wholepage=~s/</$openbr/g; $wholepage=~s/>/$closebr/g;
    aren't you just saying
    $wholepage=~s/</</g; $wholepage=~s/>/>/g;
    What good does that do?
    I may be missing something here.

    #!/home/bbq/bin/perl
    # Trust no1!
      actually what it was supposed to be instead of
      $openbr="&lt;"; $closebr="&rt;";

      but I think something happened.

Back to Code Catacombs

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://13136]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (11)
As of 2015-09-04 20:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My preferred temperature scale is:










    Results (148 votes), past polls