Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: wget not working from perl

by haukex (Bishop)
on Sep 14, 2019 at 08:36 UTC ( #11106166=note: print w/replies, xml ) Need Help??


in reply to wget not working from perl

I waited with posting this until you'd taken down your script, which it seems you've done now, because it contains at least one classic and major security issue: As I've described in my node here, allowing practically unfiltered user input to be used directly in backticks allows anyone to execute arbitrary shell commands on your server. (Not to mention the fact that this script is basically a proxy open to everyone, which is an issue by itself.)

For example, a QUERY_STRING of example.com%22%3Bcat+%22%2Fetc%2Fpasswd would have caused the script to execute the shell command wget ... "http://example.com";cat "/etc/passwd". I hope you see the major problem with that or any other arbitrary command.

I've also commented on your style of reinventing all the wheels before. I don't do this just for the sake of the criticism itself or because I want to discourage learning or take from any enjoyment you might get from writing code in this style - I'm very much a fan of TIMTOWTDI - and if you want to write these scripts like this for yourself, that's fine. But as soon as you put these into some kind of "production", what I've said before become real issues: the more code your write yourself, the more code you have to test and maintain*. (And for asking questions, it gives others much more code to wade through.)

And if you expose this to the world, there's the added issue of having much more code to secure properly. And with security issues, your site can quickly become the next spam relay or home for scammers, so it affects everyone.

If you're going to be putting stuff online like this, I implore you to use the proper modules and follow the best practices for security.

* Just for example, your sub unescape contains at least one bug: If the input string starts with a %HH encoded character, that is skipped, because my $i = index( $X, '%' ) >= 0 || return $X; doesn't actually get the index, $i will always be the return value of the logical expression. Every single one of your obfuscated subs has a corresponding function in a popular, well-maintained module, or in the Perl core itself.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://11106166]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (4)
As of 2020-11-01 01:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My favourite web site is:












    Results (291 votes). Check out past polls.

    Notices?