DB using a flat file for dynamic content in HTML
I have created a simple perl parsing cgi that returns data to the user from a flat file. I am using the open command. It all works fine but I have read that the open command can open up a can of worms. Can anyone tell me the pitfalls of using open and how to protect myself from the open command being used as an entry point for Hackers. Or just tell me I'm being paranoid.
Thanks
G
Rob Pengelly posted this at 20:49 — 8th January 2001.
They have: 850 posts
Joined: Jul 1999
It really depends on the situation. Is thie file that you are opening already defined in your script?
ie-
$file = 'data.txt';
open(IN,$file) or die "Can't open $file: $!\n";
If this is the case, you are fine, because you will only open the specified file.
Or, are you getting userinput first, and opening a file a specific file depending on the users input? If this is the case, it is always good to write a small regexp (Regular Expression) to make sure there are no '/' in the inputed variable. I usually use:
$foo = s/\///g;
http://www.thehungersite.com - http://www.therainforestsite.com
http://www.ratemymullet.com - Beauty is only mullet deep.
spragueg posted this at 01:15 — 9th January 2001.
They have: 23 posts
Joined: Jan 2001
It's always the same file but the user is requesting data via forms or action tags. I have a parsing lib that gets my pairs out. Should I use the regexp there? For example I have a variable like "words=01234" passed via the url or form. If I read that regexp right it's looking for any "/" and replacing it with nothing? So should I do $words= s/\///g; before I open my file? Do I understand?
Thanks
G
Rob Pengelly posted this at 02:29 — 9th January 2001.
They have: 850 posts
Joined: Jul 1999
I should have been more clear sorry. the regexp is only neccesary when you are opening a file inputed by the user.
Matt@Ikonboard posted this at 02:44 — 10th January 2001.
They have: 16 posts
Joined: Jan 2001
Focusing on opening files from user input, I'd go full on taint.
Something like:
my $File = $q->param('file'); #or however the data is parsed..
$File = CleanFilename($File);
open FH, $File or die $!;
.....
#Some where in a script/lib/module - whatever
sub CleanFilename {
die "Illegal Characters" unless $_[0] =~ m!^([\w.-]+)$!;
return $1; # $1 is now untainted
}
my $friends = qq[=:Jilly , Andrew , Peter & Harry:=];
(.+?)(\:=)$}
print &welcome($friends), "2"; my @home;
sub welcome{my $s=shift; $s=~s{^(=\
{$_=$2;@home=split/[&,]/;}esgx;$friends= join'me',@home;
$friends=~s{(\A|\S|\s+)([A-Z]).+?(\s|\Z)}{$2}sge;my$c=-1;
$friends=~s{(me|\Z)}{++$c;@_=(qw|ust nother erl acker|);qq!$_[$c] !;}eg; $friends}
Matt@Ikonboard posted this at 02:48 — 10th January 2001.
They have: 16 posts
Joined: Jan 2001
It depends on the method used to parse. I urge the use of the CGI perl module. It's a little heavy on compile times, but worth it for it's clean and easy to use interface.
Always do some kind of data checking on parsed value=pairs tags.
I'd use something like:
sub CleanValue {my ($obj, $Tmp) = @_;
$Tmp =~ s!\0!!g;
my %ENT=('&'=>'amp','<'=>'lt','>'=>'gt','"'=>'quot');
$Tmp =~ s!([&<>"])!&$ENT{$1};!sg;
$Tmp =~ s|<!--|<!--|g;
$Tmp =~ s|-->|-->|g;
$Tmp =~ s|<script>|<script>|ig;
$Tmp =~ s|^\$+$|$|g;
$Tmp =~ s!\|!|!g;
$Tmp =~ s|\{|{|g;
$Tmp =~ s|\}|}|g;
$Tmp =~ s|\,|,|g;
$Tmp =~ s|\*|*|g;
$Tmp =~ s|'|'|g;
$Tmp =~ s|\s+$||g;
$Tmp =~ s|\$|$|g;
$Tmp =~ s|\r||g;
return $Tmp;
}
my $friends = qq[=:Jilly , Andrew , Peter & Harry:=];
(.+?)(\:=)$}
print &welcome($friends), "2"; my @home;
sub welcome{my $s=shift; $s=~s{^(=\
{$_=$2;@home=split/[&,]/;}esgx;$friends= join'me',@home;
$friends=~s{(\A|\S|\s+)([A-Z]).+?(\s|\Z)}{$2}sge;my$c=-1;
$friends=~s{(me|\Z)}{++$c;@_=(qw|ust nother erl acker|);qq!$_[$c] !;}eg; $friends}
Vorm posted this at 21:06 — 14th January 2001.
They have: 62 posts
Joined: May 2000
What can someone do with the script tag when it comes to opening a file?
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.