If you pass a string from a user directly to open, the person can run arbitray commands. The username ';rm nameofcgi.cgi;' for example will delete nameofcgi.cgi (on some platforms, anyways). Even if you prefix the filename with a directory, someone could use ../ to write to the directory of their choice, someone could use a \0 to prevent any appended string from being used in the filename (since the underlying C library will take the \0 to be end of string). In other words, you need to verify that the data the user has given you does not contain anything it shouldn't. You can use the -T switch (#!/usr/bin/perl -T) which will enable taint checking which will cause perl to stop when it encounters a potentially unsafe operation.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|
