|
Re: issues displaying cgi script source?
by jZed (Prior) on Jul 06, 2004 at 16:30 UTC
|
Is there anyway I can use this method and not have the web browser parse the cgi source code as html code and simply display as text?
Use <pre> tags.
| [reply] |
|
|
Ahh yes this works great for spacing and indention but html is still rendered inside the pre tag.
| [reply] |
|
|
for (@source) {
s/&/&/g;
s/</</g;
print;
}
or use the HTML escape routine in CGI.
| [reply]
[d/l] |
|
|
| [reply] |
Re: issues displaying cgi script source?
by Joost (Canon) on Jul 06, 2004 at 16:37 UTC
|
Leave out all the HTML in the output and set your Content-type to "text/plain" instead of "text/html".
| [reply] |
Re: issues displaying cgi script source?
by diotalevi (Canon) on Jul 06, 2004 at 16:49 UTC
|
Your script contains a security hole. The value of ( param() )[0] is given directly to your two-arg-open() call. It looks like your -e test might be enough to prevent people from taking over your shell but it is at least giving the world access to read any file on your hard drive. Please read perlsec, turn on tainting, and learn to use three-arg-open: open ..., "<", $full or die "Couldn't open $full for reading: $!"
| [reply]
[d/l]
[select] |
|
|
I can see your concern but do not really see how anyone can read any file on my filesystem by this usage. Permissions will not allow for any privilaged file to be read by a webserver running as "nobody" or any other non-privilaged user.
Not to mention the hard coded variable of $path which is not changeable by the user and is the entire first portion of the variable $full's value.
If there is a way to break out of this directory with the current state of this script please be specific because I do not see it.
I have read about the two and three arg open calls but do not see in this implementation how a three arg open call will help any. Now I am not saying it won't because I am the farthest thing from an expert but if it will please again be more specific.
Edit: Ohh wait a minute! Oh crap I see it and tested it and yes you are correct. Big oversight on my part. Thanks for the heads up! Permissions do save me on privilaged files but there are some un-privilaged files Apache can read that people have no buisness looking at and can lead to further exploitation.
| [reply] |
|
|
See about using File::Spec and functions like splitpath() or no_upwards(). Also, use the three-arg open because even if a user gives you a filename like " foo |" or ">bar" then you are specifying the "action" part of the open separately. It tells perl that everything in the filename portion of the function is a filename and no part of that is to be interpreted specially.
| [reply] |
Re: issues displaying cgi script source?
by Wassercrats (Initiate) on Jul 06, 2004 at 17:18 UTC
|
I like the antispam script. It wasn't exactly cut and pastable, but I fixed it and I might use it on my website. I still have to read those references from your comments, but it sounds like everyone should have such a script on their website.
I could write it in three lines, but that's beside the point. | [reply] |
Re: issues displaying cgi script source?
by diotalevi (Canon) on Jul 06, 2004 at 18:27 UTC
|
Say, I notice that your submit-script has a problem that lets me write to any file on your hard drive. Fix that too. Also fix your scripts to use CGI instead of trying to parse stuff in %ENV and STDIN. Again, use taint on all of those. These are just some general comments on some specific problems I saw while looking at your code and some hints to techniques that will help you get rid of them. | [reply] |
|
|
| [reply] |
|
|
| [reply]
[d/l] |
|
|
|
|
|
â¢Re: issues displaying cgi script source?
by merlyn (Sage) on Jul 06, 2004 at 19:03 UTC
|
my $cgi = new CGI;
my @param = $cgi->param();
...
my $full = $path.$param[0];
...
open(FILE, "$full") || error();
/me ensures that the big black mark previously crossed through the name of perlskripts.com is still clearly visible, and raises his eyebrows once again.
Thank you once again for showing just how wrong you can create a script. Nice. I'll take everything you've written as the "before" column in my next training course. Loads of laughs.
| [reply]
[d/l] |
|
|
I am sure you have never made a mistake, but seeing how the rest of us our not perfect and sometimes have oversights you might want to tone down the insults a bit. I thought that is what places like perlmonks was for. To learn better ways of doing things, not to be insulted by someone so insecure about their life that they need to tear people down in order to build themselves up.
Once again I have yet to see any help to anyone come from your corner. There is a very distinct difference in the way you responded to this post and the way diotalevi responded to this post. I am sure it will also be apparent to everyone who reads this.
You know it really is a shame that people who come here looking to learn and receive quality help have to deal with people like you. Reading your comments is like sifting through the trash.
| [reply] |
|
|
I think the tone you are feeling from his post is there, but I think his reasoning for taking that tone with his response is that you are not only asking for help, but in this world of google indexing and cross linking potentially providing very badly written (!! insecure !! ) scripts to other people that as you may not know any better. You may feel like you are doing a service or documenting your journey of learning perl -- but publishing scripts of that quality just end up hurting the community. You will get someone that copies or learns from your (very poorly written) examples and repeats the same errors. As it stands even your backend script is easily exploitable, I would suggest you take it down until you read these posts and fix it. Unlike the posters above there may be many others that read this board that do not feel like giving feedback and may just feel like messing with your site.
| [reply] |
|
|
|
|
I'll be happy to rescind every comment I've made about you and the quality of your code once you take www.perlskripts.com offline. The problem is that you've dug your own grave. You've offered yourself as a model code writer, and I'm here to say that you aren't. That's my job.
If you acknowledge that you are what you are (a junior programmer still learning), you'll get a lot more respect from me. But I have absolutely no sympathy for anyone running a "scripts archive" that puts out the kind of crap you do, suggesting that it's good code. It's like a used car dealership that puts sawdust in the crankcase hoping that no one hears the gears grinding until they get the car off the lot for a few days. Consider me the "consumer reports" or "better business bureau", calling you on your crap.
So, I hear your challenge, and I challenge you to put your money where your mouth is. Pull your site offline, and I'll apologize.
| [reply] |
|
|
|
|
|
|
|
Re: issues displaying cgi script source?
by sgifford (Prior) on Jul 07, 2004 at 00:50 UTC
|
If you don't mind losing the formatting and just want to display the script, use Content-type: text/plain instead of HTML. That would make the script easier for a user to save and download too.
| [reply] |
