Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: How many bugs can *you* find

by turnstep (Parson)
on May 01, 2001 at 01:47 UTC ( [id://76773]=note: print w/replies, xml ) Need Help??


in reply to How many bugs can *you* find

I started to rewrite it, just for fun, but I had to stop halfway through. Please tell us this is not production code being used somewhere. Please?

Replies are listed 'Best First'.
(Ovid) Re(2): How many bugs can *you* find
by Ovid (Cardinal) on May 01, 2001 at 01:55 UTC

    turnstep wrote:

    Please tell us this is not production code being used somewhere. Please?

    Unfortunately, I can't tell you that. It is being used. It's in a script that is over 2,000 lines long and does not use strict. I added use strict and an extra 130 lines were added to the error log. As usual, I don't have a lot of time to fix this, and it's called from several different places. My only change at this point was to plug a nasty security that tinman alluded to:

    Umm.. a biggie, but I don't think you're untainting any of the file name variables or the param variables that you recieve from the user... so a script kiddie style "rm -rf" hack is possible..

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

      Well, in that case, if you have to put up with 2000 lines, I can put up with these few. :)

      ## Implicit: htmDir no longer ends in a slash use strict; ## Yay!! sub updateTiles() { my $tilefile = "$htmDir/tile.htm"; open(TILE, "$tilefile") or die "Could not open $tilefile: $!\n"; my $tileinfo; { local $/; $tileinfo = <TILE>; } my $section; for $section (qw(Tile Pile Link)) { my $contentTemp = $query->param($section); ## Clean up, aisle seven $contentTemp =~ y/A-Za-z0-9_\n//cd; if ($section eq "Pile") { $contentTemp =~ s#\n#<P></P>#g; } elsif ($section eq "Link") { my $searchterm = $contentTemp; ## Even stricter here: $searchterm =~ y/a-z//cd; $contentTemp = qq{<IMG SRC="images/enter.gif" WIDTH="8" HEIGHT="12">}. qq{<A HREF="cgi-bin/show.cgi?action=showTiles&tileType=Search}. qq{&searchFor=$searchterm">View this month's tiles.</A>}; } ## Ugh...I am not going to touch this. $tileinfo =~ s/<!--$section-->(.*)/<!--$section-->$contentTemp/; } ## Should probably write a new file and copy/rename but: ## File locking anyone? :) open(HOME,">$tilefile") or die "Could not write $tilefile: $!\n"; print HOME $tileinfo; close(HOME); my $image = $query->param('Image'); if ($image =~ /^[A-Z0-9_]$/i) { my $newFile = &fileUpload('Image',250000,1,'latest_image', 'JPEG','.jpg','.jpeg'); } }

      Update: Thanks to merlyn for the catch with the brackets. Now fixed. $Deity help the rest of the 2000 lines however.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://76773]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (6)
As of 2024-03-19 09:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found