Re: CGI and security
by marto (Cardinal) on Jul 10, 2012 at 10:18 UTC
|
Ovid's CGI Course describes security and debugging issues. Spend time reading and understanding this and you'll be in a better position to debug the problem/provide further problem details.
| [reply] |
Re: CGI and security
by blue_cowdawg (Monsignor) on Jul 10, 2012 at 13:15 UTC
|
I am not able to provide any error messages as such. Can some one help me out?
If you can't provide error messages how do you know where your code is failing. There are many reasons for a file upload script failing. Others have posted very good suggestions of where to go from here. Without error messages of some sort it is like your doctor trying to diagnose an illness over the telephone when you can't speak.
Peter L. Berghold -- Unix Professional
Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
| [reply] |
Re: CGI and security
by zentara (Archbishop) on Jul 10, 2012 at 14:33 UTC
|
Try putting this is your cgi script:
#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);
local $SIG{__WARN__} = \&Carp::cluck;
The most likely causes of file upload errors are (1) the upload directory is not mode 0777, or what is called World-Writable; and (2) you are trying to upload to the wrong location. You often need to check what is the absolute path to your upload directory on the server. Often these are aliased, but your server control panel should be able to say what the absolute pathname is to your home dir.
If you havn't discovered it on your own yet, try running this script to get your cgi info.
#!/usr/bin/perl
# Don't buffer output
$| = 1;
# Ask for server name and information
chomp($hostname = `hostname`);
chomp($uname = `uname -a`);
# Ask system for user name
chomp($user = `/usr/bin/whoami`);
# Ask system for user id and group id for this user
($uid, $gid) = (getpwnam($user))[2, 3];
# Get path for sendmail program
chomp($sendmail = `which sendmail`);
#
# Generate the complete form
#
print "Content-type: text/html\n\n";
print qq(
<html>
<head>
<title>CGI Environment</title>
</head>
<body bgcolor="white">
<b>
Host name is $hostname.<br>
CGI programs execute as user $user ($uid, $gid).<br>
System description is $uname.<br>
</b>
<hr>
<h2 align="center">CGI Environment</h2>
<p>
<br>
SERVER_SOFTWARE = $ENV{'SERVER_SOFTWARE'}<br>
SERVER_NAME = $ENV{'SERVER_NAME'}<br>
GATEWAY_INTERFACE = $ENV{'GATEWAY_INTERFACE'}<br>
SERVER_PROTOCOL = $ENV{'SERVER_PROTOCOL'}<br>
SERVER_PORT = $ENV{'SERVER_PORT'}<br>
REQUEST_METHOD = $ENV{'REQUEST_METHOD'}<br>
HTTP_FROM = $ENV{'HTTP_FROM'}<br>
HTTP_ACCEPT = $ENV{'HTTP_ACCEPT'}<br>
HTTP_USER_AGENT = $ENV{'HTTP_USER_AGENT'}<br>
HTTP_REFERER = $ENV{'HTTP_REFERER'}<br>
PATH_INFO = $ENV{'PATH_INFO'}<br>
PATH_TRANSLATED = $ENV{'PATH_TRANSLATED'}<br>
SCRIPT_NAME = $ENV{'SCRIPT_NAME'}<br>
QUERY_STRING = $ENV{'QUERY_STRING'}<br>
REMOTE_HOST = $ENV{'REMOTE_HOST'}<br>
REMOTE_ADDR = $ENV{'REMOTE_ADDR'}<br>
REMOTE_USER = $ENV{'REMOTE_USER'}<br>
REMOTE_IDENT = $ENV{'REMOTE_IDENT'}<br>
AUTH_TYPE = $ENV{'AUTH_TYPE'}<br>
CONTENT_TYPE = $ENV{'CONTENT_TYPE'}<br>
CONTENT_LENGTH = $ENV{'CONTENT_LENGTH'}<br>
<p>
<hr>
<p>
<h2 align="center">Complete Environment</h2>
);
foreach $key (sort keys %ENV)
{
print "$key = $ENV{$key}<br>\n";
}
print qq(
<h2 align="center">System Programs</h2>
Sendmail program path : $sendmail
</body>
</html>
);
| [reply] [d/l] [select] |
|
use CGI::Carp qw(fatalsToBrowser);
local $SIG{__WARN__} = \&Carp::cluck;
I tried putting this code. (I was looking for this piece of code. Thanks). It thrown this error "Software error:
CGI open of tmpfile: Permission denied".
On googling I found like CGI defaults the temp directory to /usr/tmp. Is there any way to override this temporary path. | [reply] [d/l] |
|
It thrown this error "Software error: CGI open of tmpfile: Permission denied". The way I interpret that error, is that your file upload script dosn't have permission to write to the designated upload directory. This is usually because it is not mode 0777 or world-writable, which is needed by file uploads ( unless your apache server is using su-exec).
You really should post a minimal running code example which fails, so we can see where your problems are.
It is 99% probable that the problem IS NOT due to the CGI module. People successfully run http file uploads all the time, but you must have your file paths and permissions correct.
Here is a simple upload script to test with. In your cgi directory, where you place this script, make a subdir called "uploads" and chmod it to 0777. Then run this script thru the browser.
#!/usr/bin/perl
use warnings;
use strict;
use CGI;
use CGI::Carp 'fatalsToBrowser';
my $maxsize = 1024 * 100; #max 100K
my $query = new CGI;
my $upload_dir = "uploads"; #permissions for dir are set 0777
print $query->header();
if($ENV{CONTENT_LENGTH} > $maxsize){
print "file too large - must be less than $maxsize bytes";
exit;
}
my $file = $query->param("file");
my $filename = $file;
$filename =~s/.*[\/\\](.*)/$1/;
open (UPLOADFILE, ">$upload_dir/$filename") or die "$!\n";
$/= \8192; # sets 8192 byte buffer chunks, perldoc perlvar
while ( <$file> ){
print UPLOADFILE $_;
}
close UPLOADFILE;
print <<END_HTML;
<HTML>
<HEAD> <TITLE>Thanks!</TITLE> </HEAD>
<BODY bgcolor="#ffffff"><br>
<P>Thanks for uploading file : $filename!</P>
</BODY>
</HTML>
END_HTML
| [reply] [d/l] |
|
| [reply] [d/l] |
|
| [reply] |
|
| [reply] |
Re: CGI and security
by Anonymous Monk on Jul 10, 2012 at 10:13 UTC
|
| [reply] |
Re: CGI and security
by sundialsvc4 (Abbot) on Jul 10, 2012 at 12:29 UTC
|
Two of the most immediately useful tools you can use to troubleshoot this sort of thing are: on the client side, a debugger such as Firefox; and on the server side, the Apache logs. You need to conclusively see what the client is actually sending, and then to see what the server recorded in its own logs. (What it sends back to the client is probably not very useful for this purpose. You won’t get far, just looking at that.)
Any of us could rattle off a “rogue’s gallery” of likely suspects, particularly in the case of file uploads, but the list is long enough that speculation won’t help much. You need facts.
| |
Re: CGI and security
by davido (Cardinal) on Jul 10, 2012 at 21:08 UTC
|
Is the reason that you're unable to provide any error messages because your code is failing silently, because you have a policy against providing error messages when asking questions, or because you don't know where to find error messages in the server logs?
Without error messages, how do you know that the line you quoted is where the code is failing? You put print statements before and after that line to see if you arrived there?
If your code is failing silently, fix it. Since you didn't provide any code example, we can't tell you what exactly to fix, but I can tell you that anything that can fail should be checked, and errors logged. Any time you make an assertion as to the state of a component of your code, you should be checking that assertion. Did a regex match. Did a file really get opened? Did a file really get written to? Did a particular parameter really get passed? These are all things you can check programatically. And when you do check, if a state comes up where there's no point going on, you log it and die. If you can recover from it, you log it and recover.
If you have a policy against providing error messages when asking questions, change it so that your questions will become answerable.
If you don't know where to find error messages, you have to check the log files for your server. This will be different for different server configurations. Either you need to read the documentation for your server, or contact your server's administrator to ask where the error logs can be found. Without access to them, your CGI adventures will be painful and non-productive.
| [reply] |