Does anybody have any ideas on this? Regards,
-Roberto On Sun, May 25, 2008 at 03:45:24PM -0400, Roberto C. Sánchez wrote: > [Please CC me on all replies] > > So, I am writing some simple code to allow a user to upload his own > photo galleries. The section of code giving me problems is this: > > my $scratch_dir = $gallery_dir . "/scratch"; > my $zipper = Archive::Zip->new(); > my $zip_stat = $zipper->read($destfile); > if ($zip_stat == Archive::Zip::AZ_OK) { > $zipper->extractTree('.', $scratch_dir); > print "Extracted archive contents into target directory.</p>\n"; > } else { > print "Unable to operate on the uploaded archive file. Please fix the > problem and upload again.</p>\n"; > } > > When I call extractTree() in the manner shown above, I get the > "Extracted archive..." output, but nothing is actually extracted. If I > change the call to extractTree() with no arguments, I get a 500 error > and this in my Apache log: > > [Sun May 25 08:57:35 2008] [error] [asp] [11570] [error] error executing > code for include /var/www/templates/Photo_page_edit.tmpl: Insecure > dependency in open while running setgid at /usr/lib/perl/5.8/IO/File.pm > line 70. <--> ; compiled to SCALAR(0x91f6f24) at > /usr/share/perl5/Apache/ASP/Response.pm line 844. <--> , > /usr/share/perl5/Apache/ASP.pm line 1521 > > If I try this, I also get the same taint error: > > my $scratch_dir = $gallery_dir . "/scratch"; > my $zipper = Archive::Zip->new(); > my $zip_stat = $zipper->read($destfile); > if ($zip_stat == Archive::Zip::AZ_OK) { > my @members = $zipper->memberNames(); > foreach my $fn (@members) { > $fn =~ /(.*)/; > $fn = $1; > $zipper->extractMember($n); > } > print "Extracted archive contents into target directory.</p>\n"; > } else { > print "Unable to operate on the uploaded archive file. Please fix the > problem and upload again.</p>\n"; > } > > I have also tried adding in gratuitous untaintings, but to no avail. > Has anyone been able to make Archive::Zip work? If so, how? I am very > close to just using system() to call /usr/bin/unzip, but that is not > very portable. > > Regards, > > -Roberto > > P.S. The server running this site is Debian Etch, so unfortunately, I > cannot use Archive::Extract which is included in Perl 5.10.0. > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature