l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2002 Feb 20 17:18

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Need help securing a simple perl CGI
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Need help securing a simple perl CGI



I highly recommend the CGI perl module. You can do all
of what you want to do in one line.

#!/usr/local/bin/perl -Tw

use strict
use CGI qw(:standard);

my $query = new CGI; # Class method to instantiate object
                     # Black magic all occurs in background

print header, 
      start_html;

print h1($query->param('foo'));

print end_html;

To find out more about the CGI module, take a look at

$ perldoc CGI

Also, check the World Wide Web Security FAQ
http://www.w3.org/Security/Faq/

And Lincoln Stein's web page:
http://stein.cshl.org/~lstein/

And Randal Schwartz's columns:

http://www.stonehenge.com/merlyn/
http://www.stonehenge.com/merlyn/WebTechniques/

brian

On Sun, Feb 17, 2002 at 10:26:28PM -0800, Ryan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> This is a perl cgi script I wrote to allow me to have large html files on my 
> web host without exceeding my storage quota.
> 
> I'd like it looked at, _I_ can no longer abuse it to run random commands or 
> go where I shouldn't, but that doesn't mean others can'.
> 
> Any other feedback would also be great.
> 
> #!/usr/bin/perl
> #Let users transparently access files that are gzipped server-side
> #Useful only to keep under my storage quota ;-)
> 
> my $in = $ENV{'QUERY_STRING'};		# Handle CGI calls
> $in =~ s/\+/ /g;			# Replace '+' with ' '
> $in =~ s/%(..)/pack("c",hex($1))/ge;	# Undo URL quoting
> 
> $in =~ s/\.\.//g;			# Foil Nasty h4x0rz trying to desend
> 					# directories
> $in =~ s/\\//g;				# There is no need for backslashes!
> $in =~ s/\'//g;				# prevent h4x0rz from
> 					# running commands like
> 					# zcat.cgi?file=foo.html.gz';rm -rf *'
> 
> my %data = split (/=/, $in);		# Make an array
> 
> my $file = $data{'file'};		# get the name of the requested file
> 
> print "Content-Type: text/html\n\n";
> # print `echo '$file'`;			# debugging
> print `zcat ~/WWW/'$file'`;		# quotes prevent nastys.
> 
> - -- 
> No Microsoft products were used in any way for the creation of this message.
> PGP Public key at http://mother.com/~ryan/ryan_at_mother_dot_com.asc
> It is also on the servers: Key ID 0x72177BC7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD4DBQE8cJ6cEd9E83IXe8cRAq5qAJ9+/mIZVuwdV/uCwIzU4Cz1/Kp3bQCYrHty
> tRBI7Iewb8CvWNC/kQE2DA==
> =WHOW
> -----END PGP SIGNATURE-----
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

-- 
Brian Lavender
http://www.brie.com/brian/
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!