Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
Once again, I have another CGI question, but this time relative to security. I'll admit, I know very little about security, and while the -T flag does help, I know that there is always something I might overlook. Just last night, my friend noticed in one of his own scripts that there was a bit of a security loophole in the open command. Apparently, someone figured out how to use some sort of escape commands in the URL to hack into his system. His script's purpose was different -- basically a way for people to view static HTML documents which were parsed into his web-page's table structure. Mine, on the other hand, is a bit different, but I imagine I could potentially have the same loop hole.

Before I show you my little sub-routine, a little background. For obvious reasons, I am not going to display the whole program here. The premise of this sub-routine is that I have a template file, an HTML document, that has commands within it (for example: <!-- fillin(getContent) --> ). Basically, a template is loaded, and based on the input into the CGI, the content will replace the fillin() tags. That in itself is not a security hole as one might think, because I have it set to check whether said commands actually exist earlier in the script (an earlier subroutine). Anyhow, my concern is with the open() command. Here's my code:

# getHTML: Get template and fill in with generated data sub getHTML { $UserInfo = getUserInfo($tempUID); $theme = getTheme($UserInfo->{Theme}); my $template = $theme->{ThemeDir}."index.html"; my $HTML .= <<END; Pragma: no-cache Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private Expires: -1 Content-type: text/html END open(FILE, "<$template") or die "Template : Couldn't open $template +: $!\n"; while (<FILE>) { $HTML .= $_ } close(FILE); while ($HTML =~ /<!-- fillin\((.+?)\) -->/) { my $command_output = &$1($call); $HTML =~ s/<!-- fillin\(.+?\) -->/$command_output/; } return $HTML; } # end getHTML()

Is there any sort of protection I should be adding over the opening of such a file? Maybe some sort of regexp to disallow anything that shouldn't belong? I know in my friend's case, his program allowed user input through the URL. In my case, there is no way for the person to input that template file. The template file is based on a theme that they can select from the database. The file itself is stored within the database.

While I am at it, is there a safer way, in general, to open files in perl? Most of what I do with perl is web development, so this might be useful to know anyhow.

Once again, thank you for your help. I've learned a lot from this wonderful community, and I hope to continue doing so.


In reply to Security with open() in CGI scripts by Coplan

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others perusing the Monastery: (7)
    As of 2018-05-25 09:15 GMT
    Find Nodes?
      Voting Booth?