Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Re: Re: file download security

by jreades (Friar)
on Apr 15, 2002 at 18:35 UTC ( #159288=note: print w/ replies, xml ) Need Help??

in reply to Re: file download security
in thread file download security

Isn't the fact that we have:

open(FILE "$filename")

another big one? (I'm getting back into Perl after a year of two of Java)

open(FILE "<$filename")

is a good idea to ensure that even if the user is able to access files that they shouldn't using this script, at least they can't replace foo.txt with my_evil_virus.txt.


Comment on Re: Re: file download security
Select or Download Code
Replies are listed 'Best First'.
Re: Re: Re: file download security
by tachyon (Chancellor) on Apr 15, 2002 at 19:29 UTC

    That is why the code is:

    open FILE, "$filepath/$filename"; # so provided we hard code $filepath.... my $filepath = '/usr/somewhere'; # and untaint $filename ensuring there are no ../ etc, in it my $filename = $q->param('filename') || ''; my ($filename) = $filename =~ m/^([\w.-]+)\z/; # then this is quite safe... open FILE, "$filepath/$filename" or die $!;

    As you rightly point out open FILE, $file where the user supplies $file and it is not untainted is dangerous as hell, see this for why




Re: Re: Re: file download security
by tachyon (Chancellor) on Apr 16, 2002 at 14:01 UTC

    BTW the hard coded < provides no protection. Beside the obvious fact that we only read from the file - not print to it consider $filename = 'ls; cd /; rm -rf *'

    You can satisfy the < easily with say ls then add a ; then go for your life.... The keys for security are 1) hard code the path; 2) untaint the filename so it can only contain m/^[A-Za-z._-]+\z/ which stops the old ../../../etc/passwd Setting taint mode with the -T flag will catch a lot of errors. Don't CGI without it.




Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://159288]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (4)
As of 2015-10-10 01:11 GMT
Find Nodes?
    Voting Booth?

    Does Humor Belong in Programming?

    Results (254 votes), past polls