Jasmine
Administrator
/ Moderator
Jan 23, 2000, 7:34 PM
Post #4 of 5
(717 views)
|
Whoah... gaping security hole !
But first, yes, if you want to pass information to the program like this, <exec cgi="counter.cgi?counter_file=xxxxxx>, you need to tell the program what's the variable name and value. That's what your parseinput subroutines does.
So put the sub parseInput subroutine in (and get rid of the () that's after the sub parseInput that you have in your code), and put
&parseInput;
before you start opening files -- this invokes the subroutine, which will assign the information you're passing to the program, in this case, $fields{'counter_file'}
As for the security hole... you never want to allow anyone to pass a whole filename for opening and manipulating on your server.
What if someone passed <exec cgi="counter.cgi?counter_file=/home/yourdomain/www/index.html> (or worse -- a password file)? The counter program would open it, increment it, and display it in the browser. Voila! A messed up home page.
The best thing to do is set a complete server path for the file, and if the file has a static suffix, toss that in there too for good measure (and don't pass the file suffix in your exec cgi call, just the filename). Example:
<BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR>
#!/usr/local/bin/perl
print "Content-type: text/html\n\n";
&parseInput;
$serverpath = "/server/path/to/counter/file";
$file = "$serverpath/$fields{'counter_file'}.dat";
open(COUNTER, "< $file") | | die "Couldn't open $file for reading $!";
$value = <COUNTER>;
close(COUNTER);
$value++;
open(COUNTER, "> $file") | | die "Couldn't open $file for writing $!";
print COUNTER $value;
close(COUNTER);
#
print $value;
parseInput sub {
# code
}
</pre><HR></BLOCKQUOTE>
|
MAIN
SEARCH
WHO'S 
LOG 