--- Chris Devers <[EMAIL PROTECTED]> wrote:
> On Mon, 11 Jul 2005, Ron Smith wrote: > > > Insecure dependency in open while running with -T > switch at > > C:/www/cgi-bin/upload_save.cgi line 42. > > What do you see on line 42? > > It seems to be in Store_Results(): > > > sub Store_Results{ > > my $data; > > my $mime = > uploadInfo($file_name)->{'Content-Type'}; > > open (STORAGE, ">$directory/$file") or die > "Error: $directory/$file: $!\n"; # line 42<====== > > if ($mime !~ /text/) { > > binmode ($file_name); > > binmode (STORAGE); > > } > > while (read($file_name, $data, 1024)) { > > print STORAGE $data; > > } > > close STORAGE; > > } > > > In other words, it chokes when you try to write to > the dynamically > selected file, $directory/$file. > > Unfortunately, this is exactly the sort of thing > that taint mode is > supposed to be catching. Read the perldoc on it for > details: > > >From the command line, if available: > > $ perldoc perlsec > > Or read it from perldoc.perl.org: > > <http://perldoc.perl.org/perlsec.html> > > Hope this helps clarify things. > > * ** *** ***** ******* *********** ************* > ***************** > > On an entirely unrelated note, if you get in the > habit of consistently > indenting your code now, you'll be *much* happier a > year or five from > now when you're trying to maintain code you wrote > when you started out. I agree and have taken your advice. I've also turned off "color and graphics" in my messages, so I can post replies where needed, instead of top posting. :-) > Here's > how I might have written the subroutine in question: > > sub Store_Results{ > my ( $file_name, $directory, $file ) = @_; > my $data; > my $mime = > uploadInfo($file_name)->{'Content-Type'}; > open (STORAGE, ">$directory/$file") > or die "Error: $directory/$file: $!\n"; > line 42<====== > if ($mime !~ /text/) { > binmode ($file_name); > binmode (STORAGE); > } > while (read($file_name, $data, 1024)) { > print STORAGE $data; > } > close STORAGE; > } > > Note also that I explicitly pulled in arguments, > rather than using > globals. This will mean changing the sub call to > > Store_Results( $file_name, $directory, $file ); > > but writing it that way will also just serve to > clarify things and make > it easier to maintain the program when you look at > it again years later. I also took you suggestion here too. I does make things more clear and understandable. I still get the error with the -T switch though, so I'll check out the suggested reading. Thanks Chris Ron > > * ** *** ***** ******* *********** ************* > ***************** > > You don't have to follow the details of how I'm > doing this if you don't > want to, but at least choose some conventions and > stick to them. Doing > so will, I promise, save you headaches in the long > run :-) > > > > -- > Chris Devers > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>