You really need to learn about and use Taint.
MeowChow
s aamecha.s a..a\u$&owag.print | [reply] |
Thanks for the suggestion. I've untainted my input.
I never use taint mode because I don't maintain a public http server (all my scripts are single-user only and behind a firewall), but I guess that doesn't really help other people who download my code and have it exploited. Please let me know if you think there's still a problem.
-the Pedro Picasso
(sourceCode == freeSpeech)
| [reply] |
I think you're permitting too much. I'd write:
($node) = $node =~ /\w{1,32}/g;
Remember. Be paranoid. They are out to get you :)
MeowChow
s aamecha.s a..a\u$&owag.print | [reply] [d/l] |
i'd really recommend using HTML::Template or some other templating mechanism. seeing all that html mixed in with the perl makes me cringe.
anders pearson
| [reply] |
I agree that the mixing of code can get ugly, and this is an hour's hack and not the way I'd generally do it, but I prefer to avoid the templating way of doing it. Calling templates and passing them values can be just as ugly as bare HTML and it removes you one step from what you're actually trying to do (which is communicate through web pages).
My preferred approach is object oriented. I create a "Display" object with subs for form generation, etc. that are specific to my current problem. If I can design the interfaces to these objects well enough, I can rewrite them later for Tk or whatever other kind of user display I'm using and not have to re-write the rest of the app. This provides cleanliness in the functional code and separation from the display code but still allows you to see the HTML directly when you want to.
So far I don't know anyone else who does it this way, but I prefer it.
-the Pedro Picasso
(sourceCode == freeSpeech)
| [reply] |
Hmm. I wrote pocowiki a while back, which has the same sort of purpose (lightweight (Wiki/Every)-like engine), but is implemented very differently -- I use POE::Component::Server::HTTP (so it runs its own micro-HTTP server), and the database is stored in memory, using Data::Denter for (de)serialization to/from disk. I also wrote a little (MUCK-MPI)-like preprocessor for use on my website. Perhaps I should post (it/them) sometime...
Update: Just noticed -- Personal Interlinked Encyclopedia? PIE? :-)
| [reply] |
# no .. / ` \
die "no .. \/ \` \\ allowed in node name.\n" if ($node =~ /(\.\.|\/|\`
+|\\)/);
I strongly reccomend adding this snippet to this program if you are placing this on the public internet. Do not evaluate $node and run an open statement without doing more sanity checking on whats being sent your way.
Making a node as ../data/test would work. With this, it would get shot down before the open call. | [reply] [d/l] |