--- Chris Devers <[EMAIL PROTECTED]> wrote:
> On Mon, 11 Jul 2005, Ron Smith wrote:
>
> > Insecure dependency in open while running with -T
> switch at
> > C:/www/cgi-bin/upload_save.cgi line 42.
>
> What do you see on line 42?
>
> It seems to be in Store_Results():
>
> > sub Store_Results{
> > my $data;
> > my $mime =
> uploadInfo($file_name)->{'Content-Type'};
> > open (STORAGE, ">$directory/$file") or die
> "Error: $directory/$file: $!\n"; # line 42<======
> > if ($mime !~ /text/) {
> > binmode ($file_name);
> > binmode (STORAGE);
> > }
> > while (read($file_name, $data, 1024)) {
> > print STORAGE $data;
> > }
> > close STORAGE;
> > }
>
>
> In other words, it chokes when you try to write to
> the dynamically
> selected file, $directory/$file.
>
> Unfortunately, this is exactly the sort of thing
> that taint mode is
> supposed to be catching. Read the perldoc on it for
> details:
>
> >From the command line, if available:
>
> $ perldoc perlsec
>
> Or read it from perldoc.perl.org:
>
> <http://perldoc.perl.org/perlsec.html>
>
> Hope this helps clarify things.
>
> * ** *** ***** ******* *********** *************
> *****************
>
> On an entirely unrelated note, if you get in the
> habit of consistently
> indenting your code now, you'll be *much* happier a
> year or five from
> now when you're trying to maintain code you wrote
> when you started out.
I agree and have taken your advice. I've also turned
off "color and graphics" in my messages, so I can post
replies where needed, instead of top posting. :-)
> Here's
> how I might have written the subroutine in question:
>
> sub Store_Results{
> my ( $file_name, $directory, $file ) = @_;
> my $data;
> my $mime =
> uploadInfo($file_name)->{'Content-Type'};
> open (STORAGE, ">$directory/$file")
> or die "Error: $directory/$file: $!\n";
> line 42<======
> if ($mime !~ /text/) {
> binmode ($file_name);
> binmode (STORAGE);
> }
> while (read($file_name, $data, 1024)) {
> print STORAGE $data;
> }
> close STORAGE;
> }
>
> Note also that I explicitly pulled in arguments,
> rather than using
> globals. This will mean changing the sub call to
>
> Store_Results( $file_name, $directory, $file );
>
> but writing it that way will also just serve to
> clarify things and make
> it easier to maintain the program when you look at
> it again years later.
I also took you suggestion here too. I does make
things more clear and understandable.
I still get the error with the -T switch though, so
I'll check out the suggested reading.
Thanks Chris
Ron
>
> * ** *** ***** ******* *********** *************
> *****************
>
> You don't have to follow the details of how I'm
> doing this if you don't
> want to, but at least choose some conventions and
> stick to them. Doing
> so will, I promise, save you headaches in the long
> run :-)
>
>
>
> --
> Chris Devers
>
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
