You are viewing a plain text version of this content. The canonical link for it is here.
Posted to embperl@perl.apache.org by Jan Kyncl <ky...@pcv.cz> on 2001/10/05 18:58:00 UTC
$fdat like part of filename
Hi,
I have this problem when I use $fdat variable like part of filename I'll get this error:
[28024]ERR: 24: Line 1: Error in Perl code: Insecure dependency in open while running with -T switch at /home/www/ceska-media/content_management/fdat.html line 13.
Source code:
$path = '/home/www/doc/server/data_media/photos/authors/';
$path.=$fdat{id};
$path.='.jpg';
open FILE, "> $path" || die;
print FILE $buffer
while read($fdat{photo}, $buffer, 32768);
close FILE;
}
My configuration:
Apache/1.3.14 (Unix) mod_perl/1.24_01 mod_ssl/2.7.1 OpenSSL/0.9.6 HTML::Embperl 1.3.0 [Fri Oct 5 18:51:10 2001]
Thanks anyway
Best regards
Jan Kyncl
Director
Prvni ceska virtualni Ltd.
Re: $fdat like part of filename
Posted by Gerald Richter <ri...@ecos.de>.
>I have this problem when I use $fdat variable like part of filename I'll
get this error:
>[28024]ERR: 24: Line 1: Error in Perl code: Insecure dependency in open
while running with -T switch >at
/home/www/ceska-media/content_management/fdat.html line 13.
That's the sense of Perl tainting, it tells you you shouldn't do that:
>$path.=$fdat{id};
>
>$path.='.jpg';
>open FILE, "> $path" || die;
What's happen's if anybody submits a ../../ etc. as id ? In that case the
picutre will get written to the wrong location, maybe somebody will be able
to overwrite something...
Never use submitted values directly in a file path, always validate them
with a regex. The regex will also remove tainting from the value. See man
perlfaq for more infos about tainting.
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: richter@ecos.de Voice: +49 6133 925131
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org