Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: wget not working from perl

by haukex (Archbishop)
on Sep 14, 2019 at 08:36 UTC ( [id://11106166] : note . print w/replies, xml ) Need Help??

in reply to wget not working from perl

I waited with posting this until you'd taken down your script, which it seems you've done now, because it contains at least one classic and major security issue: As I've described in my node here, allowing practically unfiltered user input to be used directly in backticks allows anyone to execute arbitrary shell commands on your server. (Not to mention the fact that this script is basically a proxy open to everyone, which is an issue by itself.)

For example, a QUERY_STRING of would have caused the script to execute the shell command wget ... "";cat "/etc/passwd". I hope you see the major problem with that or any other arbitrary command.

I've also commented on your style of reinventing all the wheels before. I don't do this just for the sake of the criticism itself or because I want to discourage learning or take from any enjoyment you might get from writing code in this style - I'm very much a fan of TIMTOWTDI - and if you want to write these scripts like this for yourself, that's fine. But as soon as you put these into some kind of "production", what I've said before become real issues: the more code your write yourself, the more code you have to test and maintain*. (And for asking questions, it gives others much more code to wade through.)

And if you expose this to the world, there's the added issue of having much more code to secure properly. And with security issues, your site can quickly become the next spam relay or home for scammers, so it affects everyone.

If you're going to be putting stuff online like this, I implore you to use the proper modules and follow the best practices for security.

* Just for example, your sub unescape contains at least one bug: If the input string starts with a %HH encoded character, that is skipped, because my $i = index( $X, '%' ) >= 0 || return $X; doesn't actually get the index, $i will always be the return value of the logical expression. Every single one of your obfuscated subs has a corresponding function in a popular, well-maintained module, or in the Perl core itself.