Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re^9: issues displaying cgi script source?

by antirice (Priest)
on Jul 08, 2004 at 16:21 UTC ( #372849=note: print w/ replies, xml ) Need Help??


in reply to Re^8: issues displaying cgi script source?
in thread issues displaying cgi script source?

I am talking about your code Elijah! Stop taking this personally!

I was speaking of your submit script. I see that you've changed it as you now check whether or not it contains "..". However, note that "blah..pl" most certainly is a legal filename.

What do I mean by extracting the file? I mean remove the file portion of a path. That's it. I apologize for being ambiguous. Check out the documentation and notice that File::Spec->splitpath() returns a list containing three elements, the last of which is the filename. That's what I wanted you to grab, the third element of the list which is the part that contains a legal filename.

both require the script to be able to write to the cgi-bin folder

Do you understand what it means when I say, "While it may not work for your machine, it may work elsewhere?" You fire back with "These are default settings! No one ever changes defaults unless they know what they're doing!" Not necessarily. Some people change permissions on files and directories because they want to create a web interface to upload scripts to their site. Suppose the hosting company setup the account incorrectly? Suppose they accidentally messed up some of the permissions? Suppose they're running a different webserver on a machine where file permissions don't exist? Just because the configuration of your server protects you against a possible exploit in your code DOES NOT mean that you shouldn't protect against it anyway. Understand where I'm going with this? Code responsibly and make your script as secure as possible, especially when you are offering it to the world.

antirice    
The first rule of Perl club is - use Perl
The
ith rule of Perl club is - follow rule i - 1 for i > 1


Comment on Re^9: issues displaying cgi script source?
Re^10: issues displaying cgi script source?
by Elijah (Hermit) on Jul 08, 2004 at 16:45 UTC
    I am talking about your code Elijah! Stop taking this personally!
    You are right I apologize.

    Also yes I see now how I could have used splitpath as long as the full fule path was hard coded, which it is, I could grab the third element and append to a hard coded variable.

    Some people change permissions on files and directories because they want to create a web interface to upload scripts to their site.
    Hmm this sound familiar... LOL
    Suppose they're running a different webserver on a machine where file permissions don't exist?
    That's blashpeme! Bite your tounge. If they are running a webserver on a machine that has no file permissions (or at least weak ones) then this would mean more than likely they are running Windows IIS and in that case they have a lot more problem to worry about then my stupid script.

    I never intended people to download my script and use it. I merely posted it originally to show how I coded it and to give people ideas on snippets of code if they wanted to write something themselves and see how I did it. This does not excuse the fact that it did have an issue, although the /tmp directory was the only other directory I was able to write to that is still a problem I was not aware of and have since fixed. I will more then likely try implementing splitpath() too to see what I like more. I generally do not like to import modules for a simple task if I can find a way to code it myself.

    And yes while blah..pl is a very legal file name it would never exist on my system. I do not label files in that manner and again I did not intend on the widespread usage of this script. As I said quiet a few posts back, I am still learning and oversights are still more common than I would like them to be but it is something I am dealing with.


    www.perlskripts.com

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://372849]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (6)
As of 2014-12-29 07:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (185 votes), past polls