Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

cgi redirect

by mitchreward (Acolyte)
on Sep 29, 2014 at 20:47 UTC ( [id://1102388]=perlquestion: print w/replies, xml ) Need Help??

mitchreward has asked for the wisdom of the Perl Monks concerning the following question:

hi monks

I got a small perl-cgi script that has to run and redirect to another web page. But therefore I print the cgi headers an http response is already sent back, and a 2nd one get to a 500 error.

I've googled and searched on the Seekers of Perl Wisdom but can't find any way to do my redirect once executed

#!/usr/bin/perl

use CGI qw(:standard);
use strict;

my $cgi = new CGI;
print $cgi->header();

my @values  = $cgi->param('option[]');
foreach (@values) {
        my $command=`rm -r /media/dde/video/$_`;
        print $command;
 }
#$cgi->redirect( -location=>"train1.htm");

[download]

thanks

Replies are listed 'Best First'.
Re: cgi redirect
by Anonymous Monk on Sep 29, 2014 at 20:57 UTC

    The documentation for CGI says: "If you use redirection like this, you should not print out a header as well."

[reply]
Re: cgi redirect
by Anonymous Monk on Sep 29, 2014 at 21:07 UTC

    So what happens when one of the form values is "; rm -rf /" or "; cat /etc/passwd"?

    Much safer to use remove_tree from File::Path instead. And check your input values, because they can still refer to parent directories! (File::Spec can help you manipulate the filenames.)

[reply]
[d/l]
[select]
      I'm the only one to use this web page, that is not accessible from the internet. But yeah you're right otherwise, I'd have protected it.
[reply]

        This is how security holes get born... maybe someday you'll open the script up for others to use, or you'll be working on something for a client and remember that time you wrote this script, and just copy it over since that's the easiest solution, or ...

        Better to protect it from the start. And it's not hard to do, at least throwing this in as the first line of the foreach already helps against some of the bad stuff: tr{a-zA-Z0-9_/-}{}cd (still doesn't protect against symlinks into other directories, and if you add the dot to that list, it won't protect against "..", etc.)

[reply]
[d/l]
[select]
        Capture::Tiny
            use Capture::Tiny qw/ capture /;
    my($stdout, $stderr, $exit) = capture {
        system( 'rm', '-rf', @paths );
    };

        [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://1102388]
Approved by GotToBTru
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (3)
As of 2025-05-20 06:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found
    Notices?
    erzuuliAnonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.