Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

File writing script (taint mode problem?)

by beretboy (Chaplain)
on Jan 21, 2002 at 02:35 UTC ( [id://140251]=perlquestion: print w/replies, xml ) Need Help??

beretboy has asked for the wisdom of the Perl Monks concerning the following question:

The following script is meant to write a file based on form input. The script works on the command line but not via CGI. I believe taint checking is to blame. As far a the security aspect this will only be used by me and be password protected so what is written is not a security concern. 

#!/usr/bin/perl -w
use strict;

use CGI qw( param header);
$q = new CGI;

my $tela = $q->param('tela');
my $yoken = $q->param('yoken');

if ($tela eq undef) {
print header;
print <<SEIFORM;
<HTML>
<TITLE>seisei</TITLE>
<body bgcolor="black" background="line.gif" alink="#ff9900" link="#ff9
+900" 
vlink="#ff9900" text="#ff9900">
<form action="seisei.cgi" method="get" name="seisei">

Tela:<input type="text" value="wiki" name="tela" align="top" 
maxlength="25" size="77"><br>
<textarea name=yoken cols=70 rows=12>void</textarea>
<BR>
<input type="submit" value="kuppuku" align="middle">
</BODY>
</HTML>
SEIFORM
} else {
print header;
print <<SUCCESS;
<HTML>
<TITLE>daiseikou</TITLE>
<body bgcolor="black" background="line.gif" alink="#ff9900" link="#ff9
+900" vlink="#ff9900"
+ text="#ff9900">
<CENTER><H1>daiseikou</H1></CENTER>
</BODY>
</HTML>
SUCCESS
open(TELA, ">$tela.tela");
print TELA "$yoken";
print "$yoken";
}

[download]

Edit ar0n -- fixed

Replies are listed 'Best First'.
Re: File writing script (taint mode problem?)
by kal (Hermit) on Jan 21, 2002 at 02:42 UTC

    beretboy - please use code tags :)

    Going from your scratch pad, the problem is that you haven't defined $q, but you are using strict. Putting a 'my' in front of it (i.e., my $q = new CGI;) makes it work for me.

    Always check the webserver logs if you are able to - the error will usually be there. You can also use the 'FatalsToBrowser' setting - check the CGI.pm man page, for example.

[reply]
[d/l]
Re: File writing script (taint mode problem?)
by strat (Canon) on Jan 21, 2002 at 02:59 UTC
    Try to test your perl-code in a shell with: 
    perl -cw myscript.pl

    [download]
    That might tell you something about not having declared $q...

    Best regards,
    perl -e "print a|r,p|d=>b|p=>chr 3**2 .7=>t and t"

[reply]
[d/l]
[select]
Re: File writing script (taint mode problem?)
by chromatic (Archbishop) on Jan 21, 2002 at 11:44 UTC
    For your next question, please provide the actual text of the error or warning you are receiving. Besides not declaring $q, you'll receive at least one warning about an undefined value in 'string eq'. Instead of comparing a value to undef, try: 
    if (! defined $tela) {
 # ...
} else {
 # ...
}

    [download]
    Assuming you did leave off the -T flag (or that it's enabled in your webserver CGI association, your open call will fail. $tela will be tainted. Even so, you don't check the success or failure of the open command, which is a bad habit to cultivate.

    When run by a webserver, your program has different permissions than when run on the command line. Even if you fix the tainting, this may come back to haunt you. Do check perlvar.

[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://140251]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2024-04-25 23:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found