CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
Insecure Dependency?!

 



gus
Deleted

Mar 2, 2000, 7:20 AM

Post #1 of 4 (836 views)
Insecure Dependency?! Can't Post

Hi,

I've started to lern perl and I'm trying to write a *very* simple guestbook http://onlinelogbook.tripod.com/form.html but when I try and submit a message I get the error: "Insecure dependency in open while running with -T switch at ./form.pl line 20."

Line 20 is where I have: open (WRITE, ">messages/$number");

Messages are stored in files within the "messages" directory, numbered sequentially. The number of messages stored is held in "messageno.dat". When a submission is made the script reads in messageno.dat and assigns the value to $number. It then increments $number and tries to execute line 20, opening a new file to put the form fields in.

Simple, eh? So why the error? There are two more scripts (readmail.pl and readmail2.pl) which work fine.

Any help would be much appretiated,

Gus

# full code for form.pl
#!/usr/local/bin/perl

# open file to see how many messages there are
open( FILEIN, "<messages/messageno.dat" );

# put contents of file (i.e. number) into variable
$number = <FILEIN>;

# don't need the file anymore
close( FILEIN );

# increment the variable
$number = $number + 1;

# open the dat file, this time for writing
open( FILEOUT, ">messages/messageno.dat" );

# put the new number of messages back in the dat file
print FILEOUT "$number";

# don't need it anymore
close( FILEOUT );

# open a new file to write to
open( WRITE, ">messages/$number" );

# get arguments
$Query_String = $ENV{'QUERY_STRING'};

# use "&" to split args into an array
@NameValuePairs = split (/&/,$Query_String);

print "Content-type: text/html\n\n";
print "<html><head><title>Form Response</title></head><body>\n";

print "<center>";

print "<br>";

print "<h1>You have entered:</h1>\n";

# step through array
foreach $NameValue (@NameValuePairs) {
# split each element
($Name, $Value) = split (/=/,$NameValue);
# change "+" back to a space
$Value =~ tr/+/ /;
# change a new line for a <br>
$Value =~ s/%0D%0A/<br>/g;
# put all the reserved characters back to normal
$Value =~ s/%([\da-fA-F][\da-fA-F])/ pack ("C", hex ($1))/eg;
print "<h3>$Name...</h3>$Value<br>\n";
$Value =~ s/<br>/\n/g;
# output to file
print WRITE "$Name...\n";
print WRITE "----------\n";
print WRITE "$Value\n\n";
}

# done with this
close( WRITE );

print "<br>";

print "<h2>...thank you</h2>";

print '<a href="http://onlinelogbook.tripod.com/form.html">BACK</a>';

print "</center>";

print "</body></html>";


darian
Deleted

Mar 2, 2000, 8:42 AM

Post #2 of 4 (836 views)
Re: Insecure Dependency?! [In reply to] Can't Post

Try adding a little error checking with your open statements like below. This will print out the error for you.

open (WRITE, ">messages/$number") &#0124; &#0124; &error("$!");

sub error {
print "Content-type:text/html\n\n";
print qq~
Could not complete this operation because: $!
~
}


Cure
User

Mar 2, 2000, 3:01 PM

Post #3 of 4 (836 views)
Re: Insecure Dependency?! [In reply to] Can't Post

Hi gus

Gus I ran your script on my server and it worked for me..

Replace this line on your script:
open( FILEIN, ">messages/messageno.dat" ) or die "$!";


You should take advantage of CGI.pm


Cure

[This message has been edited by Cure (edited 03-02-2000).]


japhy
Enthusiast

Mar 5, 2000, 6:50 PM

Post #4 of 4 (836 views)
Re: Insecure Dependency?! [In reply to] Can't Post

The message is due to your version of Perl automatically turning on "taint checking". That means that any data you get from OUTSIDE OF YOUR PHYSICAL PROGRAM has to be checked to ensure it's not potentially harmful. This is achieved by using a regular expression. In your case, the method I'd use is:

<BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR>


if ($number =~ /^(\d+)$/) {
# $number must ONLY CONTAIN DIGITS
$number = $1; # $1 is the digits
}
else {
die "Bad data from file (expected a number, got $number)";
}
</pre><HR></BLOCKQUOTE>

Read the 'perlsec' documentation, and read 'perlrun' to find out about the -T option (taint checking).

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives