Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW

Image Lister

by Chady (Priest)
on Apr 04, 2003 at 09:18 UTC ( #248009=snippet: print w/replies, xml ) Need Help??

A lot of times I need to show a client some screenshots of webpages, or applications that I'm working on.

And usually, the client is very stupid when it comes to browsing a folder listing in a webpage (somehow, they don't know that they click on the image, view it, click back, and view another one.)

So I throw in this file in the folder and now they can happily see the picture AND the other links as well.

#!/usr/bin/perl -w
use strict;
use CGI qw/:standard/;

print header;
print start_html({-title=>'Image Lister', -bgcolor=>"#cccccc"});
my $me = CGI::url();

if (param('pic')) {
    my $pic = param('pic');
    $pic =~ s/^\.+//;
    if ( -e "./$pic" ) {
        print img({src=>$pic, border=>1}), br, hr;
    else {
        print "invalid pic.";

opendir CURRENT, "." or die "What the? ($!)";
my @images = grep { /(png|jpg|gif)$/ } readdir CURRENT;
close CURRENT;

print br, a({-href=>"$me?pic=$_"}, $_) foreach @images;
print end_html;

Replies are listed 'Best First'.
•Re: Image Lister
by merlyn (Sage) on Apr 04, 2003 at 17:33 UTC
    Ouch. they can see any image on your disk, if they know its path and you have at least one valid subdirectory. You aren't checking for names like subdir/../../../../ar/bi/trar/y/path/to/a/secret.gif.

    Paths are very very very difficult to get right in CGI, apparently. Many many holes.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

      Well, does it really matter?

      I mean, it's an <img .. tag, and these are usually on a small server meant only for presentation to the clients when a meeting is not very necessary, and as I said, it's just a replacement for the default directory listing (I know I can setup the webserver to serve it's folder listings like that, but the server this is used on is a virtual hosting, so no access to configuration) - so if they can see it with the folder listing, I don't see a problem if they see it with this snippet.

      I think this poses a problem when/if I actually open the file in the perl script to read the contents and print to STDOUT...

      He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.

      Chady |
        It's still a security hole. If you're going to the trouble to strip leading dots, you might as well do the whole job and make sure you're reasonably secure in the entire path.

        And even as is, it's also a useful probing tool. I can see if you have a password file, or certain binaries, because you have a different response if the thing exists vs not exists. Such information can be used to determine if certain users exists (probe for /home/someuser, for example) or what version of software is being run on the system (by looking for paths that exist on Linux vs BSD, etc.)

        So, to fend off the next likely response of "why do I care? there's nothing interesting on this box", remember that an 0wn3d box can be used to launch attacks on others with some anonyminity, or worse yet, putting the blame on you.

        Security does matter.

        -- Randal L. Schwartz, Perl hacker
        Be sure to read my standard disclaimer if this is a reply.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: snippet [id://248009]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (6)
As of 2018-10-16 00:24 GMT
Find Nodes?
    Voting Booth?
    When I need money for a bigger acquisition, I usually ...

    Results (82 votes). Check out past polls.