Re: Newbie -- got a question
--- Lee Hoffner <[EMAIL PROTECTED]> wrote: > Thanks, Curtis! Below is the script. (I hope it's clear!) > > > > #!/usr/local/bin/perl [snip] > use strict; > use CGI qw/:standard/; > my $dir = param('dir'); [snip] > @filearray = opendir(D,$dir) or die $!; Lee, >From the snippet above, I can see that there is a significant issue here. Golden >rules of CGI security: never trust user input and never allow user input near the shell. Syntax errors aside, in the above example, anyone can specify any path and they'll get a list of all jpegs and gifs. You probably don't want that. Also, if someone in the future were to take your script and modify it to serve all files, you'd have even worse problems. One of the biggest sources of security holes stems from scripts that did not, in and of themselves, have problems, but were coded with weaknesses and later modification to the scripts exposed the weaknesses. I took the liberty of recoding your program and testing it, though I've kept what you were looking for. The main thing I did is specify a list of *known good* directories in a hash. If the user-supplied directory is not a hash key, they don't get a list of files. From the HTML end, it's probably best to have a box or something similar so the user doesn't have to (mis)type the directory name ever time. #!/usr/local/bin/perl -wT use strict; use CGI::Pretty qw/ :standard *table /; use CGI::Carp; my $in_dir = param('dir'); # if $dir isn't a hash key, they can't open a directory my %dirs = ( archimage1=> '/archives/1/', archimage2=> '/archives/2/', miscellaneous => '/images/misc/' ); my $dir; $dir = $dirs{ $in_dir } if exists $dirs{ $in_dir }; #Verify that the requested directory exists. if ( defined $dir ) { opendir DIR, $dir or croak "Could not open $dir: $!"; my @imagefiles = grep /\.(gif|jpg)$/, readdir(DIR); closedir DIR; print header, start_html( -title => 'Archives' ), start_table; for ( 0 .. $#imagefiles ) { print Tr( td( img( { src => $dir . $imagefiles[ $_ ] } ), ) ); } #With the loop finished, the script finishes writing the HTML page. print end_table, end_html; #Fail (somewhat) gracefully... } else { print header, start_html( -title => 'Directory not found' ), h3( "The directory could not be found " ), end_html; } Also, I am painfully aware that not everyone likes CGI.pm's HTML shortcuts. Feel free to remove them and put your HERE docs back in :) Hope this helps! If you have any other questions, let us know. Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie -- got a question
Hi, On Tue, 7 Aug 2001, Lee Hoffner wrote: > use strict; > use CGI qw/:standard/; > my $dir = param('dir'); > > #Verify that the requested directory exists. > #I imagine I want to say something like: > if (-d $dir) { > > print < Content-Type: text/html\n\n > > > > END > @filearray = opendir(D,$dir) or die $!; Since you've already opened the HTML page, you would want a graceful die procedure here, something like dieNice { # assume http headers sent already and html page has begun print "Sorry, this system is unavailable now." print ""; exit; } I like to tell users that a system is unavailable rather than some not found message. Of course in this case, you'd want to send yourself a message since you're passing the image directory to yourself, but a user can change it. Lastly, you could also pass the image directory as a PATH_INFO variable: http://foo.com/script.pl/image_dir $ENV{PATH_INFO} = "image_dir" (I can't remember if / is included or not) Lisa Wolfisch Nyman <[EMAIL PROTECTED]> IT Warrior Princess "Life is too short to wear ugly underwear." Get the facts at http://quickfacts.census.gov/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie -- got a question
Thanks, Curtis! Below is the script. (I hope it's clear!) #!/usr/local/bin/perl #This script will be called using the "POST" method, #contained in a HREF that the #site visitor clicked on. #The call will contain an argument, which will #be the name of the directory for the #script to read using READDIR. use strict; use CGI qw/:standard/; my $dir = param('dir'); #Verify that the requested directory exists. #I imagine I want to say something like: if (-d $dir) { #Anyway, if the directory represented by # $dir does exist, # I start a table on the HTML page... print < END #...then I build an array of all files that are GIF or JPEG... #(I think this would get me all the files in the directory $dir.) #(By the way, do I need "my" in front of this declaration?) @filearray = opendir(D,$dir) or die $!; #From the complete listing in @filearray, #build a new array, which contains only #files of HIF and JPG types... @imagefiles = grep/\.(gif|jpg)$/,readdir(D); closedir D; #With @imagefiles successfully defined, I want to loop through the slots #in @imagefiles, using each entry as the IMG SRC in a new table row... for ($i = 0; $i <= $#imagefiles; $i++) { print < END last; } #With the loop finished, the script finishes writing the HTML page. print < END #Fail (somewhat) gracefully... } else { print < "The directory could not be found." END } -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie -- got a question
--- Lee Hoffner <[EMAIL PROTECTED]> wrote: > I think you might want to see my script, to see where I am trying to go. As > this is my first day on this list, I'd like to know if it's okay for me to > post an entire script before I do. It's 69 lines, with a lot of comments > stating what I am trying to do. Would you all mind if I post it, or would > you prefer to communicate with me off-list? > > Much obliged! Considering what you are trying to do, I think seeing the entire script would probably be a good thing. Sixty-nine lines is not very long, but others on this list might disagree. Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie -- got a question
I think you might want to see my script, to see where I am trying to go. As this is my first day on this list, I'd like to know if it's okay for me to post an entire script before I do. It's 69 lines, with a lot of comments stating what I am trying to do. Would you all mind if I post it, or would you prefer to communicate with me off-list? Much obliged! - Original Message - From: Lee Hoffner To: PERL Beginner List Sent: Tuesday, August 07, 2001 6:48 PM Subject: Newbie -- got a question I'm new to scripting in PERL (I've only done Javascript and Lingo before). I'm building a script to write an HTML page on the fly, using image files that are in a directory that is given to the script as a variable. How do I pass my variable to my script from the HREF link that my user clicks? (EG: my script is in my cgi-bin directory and is named "pgbuilder.pl". Do I make the link something like http://www.domain.com/cgi-bin/pgbuilder.pl?archimage, where "archimage" is the name of the directory I want to pass the script? The script itself will use $dir = param('dir') to receive/store the variable. Thanks! __ Lee Hoffner
Re: Newbie -- got a question
--- Lee Hoffner <[EMAIL PROTECTED]> wrote: > I'm new to scripting in PERL (I've only done Javascript and Lingo before). > > I'm building a script to write an HTML page on the fly, using image files > that are in a directory that is given to the script as a variable. How do I > pass my variable to my script from the HREF link that my user clicks? (EG: > my script is in my cgi-bin directory and is named "pgbuilder.pl". Do I make > the link something like > http://www.domain.com/cgi-bin/pgbuilder.pl?archimage, where "archimage" is > the name of the directory I want to pass the script? > > The script itself will use >$dir = param('dir') > to receive/store the variable. You almost had it! First, you'll probably want to tweak the HREF link just a bit: http://www.domain.com/cgi-bin/pgbuilder.pl?dir=archimage Then, the Perl code: use strict; use CGI qw/ :standard /; my $dir = param( 'dir' ); However, this could be a problem. What, exactly, is 'dir' supposed to contain and how do you want to open that directory? If you are opening directories and serving content directly from them, you could have some serious security issues. Unfortunately, security is very difficult to get right. One example of how this can go horribly wrong is at http://www.perlmonks.org/index.pl?node_id=36121 If you can post some more of your code (particularly what you're doing with $dir), we can go over it and let you know if there are any issues that you may want to address. Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Newbie -- got a question
I'm new to scripting in PERL (I've only done Javascript and Lingo before). I'm building a script to write an HTML page on the fly, using image files that are in a directory that is given to the script as a variable. How do I pass my variable to my script from the HREF link that my user clicks? (EG: my script is in my cgi-bin directory and is named "pgbuilder.pl". Do I make the link something like http://www.domain.com/cgi-bin/pgbuilder.pl?archimage, where "archimage" is the name of the directory I want to pass the script? The script itself will use $dir = param('dir') to receive/store the variable. Thanks! __ Lee Hoffner -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]