Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re: open file using variable passed by form

by poj (Abbot)
on Mar 17, 2018 at 09:58 UTC ( [id://1211117]=note: print w/replies, xml ) Need Help??


in reply to open file using variable passed by form

The cgi script folder is normally not writeable to by the web server for security. Try adding 

use CGI::Carp 'fatalsToBrowser'; # use only while debugging

[download]
to your script to see what is causing the internal error

or try this SSCCE which writes to /tmp

#!/usr/bin/perl
use strict;
use warnings;
use CGI qw/:standard/;
use CGI::Carp 'fatalsToBrowser'; # use only while debugging
use Cwd;

my $cwd = getcwd(); # current working directory

my $event      = param('event') || 1;
my $newCOMMENT = param('newCOMMENT') || 'test comment';
my $commentUID = time();
my $path       = '/tmp';
my $fileA      = "$path/$event.txt";
my $fileB      = "$path/$commentUID.txt";

if ($newCOMMENT ne "") {
  open AFH, '>>', $fileA 
    or die "Could not open $fileA : $!";
  print AFH "$commentUID\n";
  close AFH;
    
  open BFH, '>>', $fileB 
    or die "Could not open $fileB : $!";
  print BFH "$newCOMMENT\n";
  close BFH ;
}

print header,start_html;
print pre("
cwd        : $cwd
event      : [$event]
newCOMMENT : [$newCOMMENT]
commentUID : $commentUID");
print end_html;

[download]
poj

Replies are listed 'Best First'.
Re^2: open file using variable passed by form
by haukex (Archbishop) on Mar 17, 2018 at 10:04 UTC

    Note to the OP: this version still suffers from several of the same issues I describe here. I also think removing taint mode switch -T makes it less safe.

    Updated wording.

[reply]
[d/l]

      Yes I agree, this example was just to check write permissions. I removed -T so it would run on IIS.

      poj
[reply]
Re^2: open file using variable passed by form
by michael.kitchen (Novice) on Mar 19, 2018 at 05:01 UTC

    Thank you so much for taking time to help. It seems that -T was killing my script and used to code from haukex. Used (and learned from) some of your code too. I have a working script (at this point in time). You may see it again for another reason. :)

    For some reason I could not open a file (for writing) in /tmp, but was able to in a new sub-directory of cgi-bin...go figure.

    Again, thanks!!!

[reply]
      For some reason I could not open a file (for writing) in /tmp, but was able to in a new sub-directory of cgi-bin...go figure.

      That's strange, and could be an indication that your script is running with privileges that are higher than e.g. the nobody user that webservers commonly use to run scripts. That'd be another reason to be incredibly careful with using form input for filenames and potentially other things. Attackers would happily exploit a security hole that allows them to create files to, for example, set up phishing sites under your domain.

      Taint mode is a good idea in this case because it forces you to think about certain cases. But it's of course also not a silver bullet - thinking about what you are doing with user input is always a good idea :-)

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1211117]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (6)
As of 2024-04-24 10:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found