Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: Re: file download security

by jreades (Friar)
on Apr 15, 2002 at 18:35 UTC ( [id://159288]=note: print w/replies, xml ) Need Help??


in reply to Re: file download security
in thread file download security

Isn't the fact that we have:

open(FILE "$filename")

another big one? (I'm getting back into Perl after a year of two of Java)

open(FILE "<$filename")

is a good idea to ensure that even if the user is able to access files that they shouldn't using this script, at least they can't replace foo.txt with my_evil_virus.txt.

HTH

Replies are listed 'Best First'.
Re: Re: Re: file download security
by tachyon (Chancellor) on Apr 15, 2002 at 19:29 UTC

    That is why the code is:

    open FILE, "$filepath/$filename"; # so provided we hard code $filepath.... my $filepath = '/usr/somewhere'; # and untaint $filename ensuring there are no ../ etc, in it my $filename = $q->param('filename') || ''; my ($filename) = $filename =~ m/^([\w.-]+)\z/; # then this is quite safe... open FILE, "$filepath/$filename" or die $!;

    As you rightly point out open FILE, $file where the user supplies $file and it is not untainted is dangerous as hell, see this for why

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Re: Re: Re: file download security
by tachyon (Chancellor) on Apr 16, 2002 at 14:01 UTC

    BTW the hard coded < provides no protection. Beside the obvious fact that we only read from the file - not print to it consider $filename = 'ls; cd /; rm -rf *'

    You can satisfy the < easily with say ls then add a ; then go for your life.... The keys for security are 1) hard code the path; 2) untaint the filename so it can only contain m/^[A-Za-z._-]+\z/ which stops the old ../../../etc/passwd Setting taint mode with the -T flag will catch a lot of errors. Don't CGI without it.

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://159288]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (4)
As of 2024-03-28 13:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found