my $filename = $cgi->param('filename'); my $mime_type = $cgi->param('mime_type');
print $cgi->header($mime_type);
open OUT, $filename; my $buffer;
while (my $read = read(OUT, $buffer, 4096)) { print $buffer; }
close OUT;
You're right, when your script deals with parameters, URL-escaped values, etc. then CGI.pm is definitely the way to go.
While I understand that the code you posted here is simplified, I have an advice to Merrill and everyone else who wants to do similar things. Always remember to make sure your input is safe:
($file) = $file =~ /^([\w.-]+)$/ or die "Bad argument\n";
Otherwise your script could be used to download every file on your system which is readable by the server process (passing "../../../../etc/passwd" or similar string as the argument) or even to *write* to any file or to run any command at all (passing "rm ../../somedir/.htaccess|" or something like that).
Use the taint mode (the -T switch) so you'll get a fatal error every time you do something potentially dangerous with unchecked user input.
Also, using the 3-arguments call to open() is a good idea:
open FILE, '<', $file
That way the "command|" argument won't work, but there still is a problem with double dots or slashes in $path.
In my opinion the -T switch is a must for CGI scripts.
-- ZSDC Perl and Systems Security Consulting
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
