Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Allow User to Select Which Files to Delete

by fuzzysteve (Beadle)
on Nov 18, 2001 at 20:07 UTC ( [id://126130]=note: print w/replies, xml ) Need Help??


in reply to Allow User to Select Which Files to Delete

First thought that comes to mind is use
@files=glob("/Library/WebServer/Documents/userpages/uploads/*.*")
to get the listing of files. then you could replace the foreach with 
foreach (@files) {
print "<br> Delete this File: <INPUT TYPE=\"checkbox\" NAME=\"files\" 
+VALUE=\"$_\">\n";
}

[download]
Then use cgi.pm in upload.cgi to decompose the returned parameters and allow for the deletion of multiple files. something like
foreach ($query->param('files')){
unlink($_);
}

[download]
Please be warned that this is hideously insecure as it stands it would allow someone to pass any file path they want, and if the web servers user had permission, they could delete important files.
it would be better to change to the directory in question to all the file paths returned are relative, rather than absolute, and to regex away any .'s and /'s in the parameters returned.

Replies are listed 'Best First'.
Re: Re: Allow User to Select Which Files to Delete
by lex2001 (Sexton) on Nov 19, 2001 at 15:27 UTC
    Ok, I got your code to work by checking for tainted data. Can you take a look at the reg expressions that I used - is what I did secure enough? The main perl script that I am trying to create is a simple web page creation program that will allow users to create their own pages. I'm using a scalar called $drt to pass on the value of what ever user might be uploading files or deleting them. so for example in this line of code: my @files=glob("/Library/WebServer/Documents/userpages/$drt/*.*"); I'm passing the folder name of one of the users (bob_jones or whatever). Is this a bad way to do things? I have also checked for tainted data on this scalar -- does my regex make sense for this? Overall what can I do to make all of this more secure? Also one last thing. I need to be able to print out all the files in the directory that I am deleting from so users can select them properly. However with the glob function is prints out the whole path - how can I just print out the file names? Thanks in advance. Here's the code 
    
####
# Delete File
####

sub delete_file {

my $query;
# check for tainted data
my $files = $q->param( "files") || error( $q, "couldn't read File valu
+es");
$files =~ /^([\/.\w.]+)$/;
# The "untainted" file is now in $1
$files = $1;
die "Bad filename" unless $files;

print<<HTML;
<html>
<head>
        <meta http-equiv="content-type" content="text/html;charset=ISO
+-8859-1">
        <title>Upload - File Deleted</title>
    </head>

    <body bgcolor="#ffffff">
    <form action="upload.cgi" Method="post" ENCTYPE="multipart/form-da
+ta">
    <P>File(s) Have Been Deleted:
    <INPUT TYPE="HIDDEN" NAME="drt" VALUE="uploads2">
    <br>
HTML


foreach ($q->param("files")){
unlink($_);
}

print<<HTML;

                <br>
                <INPUT TYPE="submit" NAME="action" VALUE="Back To Main
+">
    </FORM>
        <p></p>
<!-- trying to get dir_files to print here -->
HTML


}

#### end of delete file

####
# Get File List
####

sub get_file_list {

my $drt = $q->param( "drt") || error( $q, "couldn't get drt value");
$drt =~ /^([\w.]+)$/;
# The "untainted" file is now in $1
$drt = $1;
die "Bad filename for value drt" unless $drt;

#opendir(DIR,$dfiles);
#my @files = grep { $_ ne '.' && $_ ne '..' } readdir(DIR);
#closedir(DIR);

my @files=glob("/Library/WebServer/Documents/userpages/$drt/*.*");

print<<HTML;
<html>
    <head>
        <meta http-equiv="content-type" content="text/html;charset=ISO
+-8859-1">
        <title>Upload - Delete Files</title>
    </head>
    <body bgcolor="#ffffff">
    <form action="upload.cgi" Method="post" ENCTYPE="multipart/form-da
+ta">
    <P>List of Files:
    <br>
    <INPUT TYPE="HIDDEN" NAME="drt" VALUE="uploads2">
HTML

foreach (@files) {
print "<br> Delete this File: $_ <INPUT TYPE=\"checkbox\" NAME=\"files
+\" VALUE=\"$_\">\n";
}

print<<HTML;
                <br>
                <br>
                <INPUT TYPE="submit" NAME="action" VALUE="Remove File(
+s)">
    </FORM>
HTML

}

### end of get file list

    [download]
[reply]
[d/l]
[select]
      well, glob olny returns the full path if you are doing a search with the full path. if you olny search for *.*, it will show you the current directory. Not useful until you use
      chdir("/Library/WebServer/Documents/userpages/$drt/");

      [download]
      to put you in the right place. Then you can use 
      glob("*.*");

      [download]
      to get the files. remember to do this both in the deletion and the selection bit

      Alternitivly, get the length of /Library/WebServer/Documents/userpages/$drt/ and in the display section chop it off the front of the string

      foreach (@files) {
my $choppedstring=$_;
substr($choppedstring,0,$length_of_dir)="";
print "<br> Delete this File: $choppedstring <INPUT TYPE=\"checkbox\" 
+NAME=\"files\" VALUE=\"$_\">\n";
}

      [download]
      Usernames aren't a great idea to pass around (if people don't know what a vaild user name is, then thats another step they need to take in breaking your security), although I'm not sure what another solution is.
      as for the regex's, I'm not sure. They've never been a strong point for me.
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://126130]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (3)
As of 2024-04-25 19:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found