Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

Desipte your impressions, this set of scripts is written with the older cgi-lib.pl library (as mentioned by grep) and a handrolled form parser (update: and, of course, not the reccommend CGI module). (Why include a library that does something and do it again? Beats me.)

More importantly, these scripts contain potentially serious security holes. They often use form input directly from the web browser in forming filenames which are then written to or deleted. This means that through these scripts someone could potentially overwrite or delete any file your script has access to. Even worse, this script will, under some circumstances (update: the hole grep found will probably allow that most of the time. I found another (`echo "$body" | $mail ...`) which would probably not be so common, being dependent on the setting of what mailer to use), include user input as part of a shell command. This means that someone could probably even run arbitrary shell commands on the system (e.g. rm -rf / to remove all files the script can remove).

As for the coding style, these scripts are similarly bad. The idention is horribly inconsistent. They don't use warnings and strict, let alone taint checking. They don't check the return value of many system calls (e.g. open, unlink). Variables are "declared" with both local and my -- only one should be used, ideally my, since this script intends to run on perl5 systems (as evidenced by the perl5-only use statement). (because my wasn't introduced till perl5, local was typically used in the same way in perl4 which is at least 8 years out of date.)

This program also uses syntax like this for prototypes:

sub sendmailer($recipient, $sender, $subject, $message){
This syntax is not supported in any written version of perl.

update: Elaborating on a point grep made, requiring 777 permissions could also be considered a security flaw: it lets pretty much anyone else on the web server you are using mess with the files this script is managing. In almost any way they want to.


In reply to Re: cgi.pm file upload script by wog
in thread cgi.pm file upload script by wolverina

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others exploiting the Monastery: (4)
    As of 2014-09-19 03:10 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      How do you remember the number of days in each month?











      Results (129 votes), past polls