Do you know where your variables are? | |
PerlMonks |
Re: Re: Re: deleting files created via cgiby gjb (Vicar) |
on Dec 10, 2002 at 17:44 UTC ( [id://218852]=note: print w/replies, xml ) | Need Help?? |
If one's very careful (and sufficiently self-confident ;-) it's possible to code this in a way that's pretty safe. The problem is that if somehow the use might get a filepath smuggled in somehow, there's a lot of havoc to be created. The Unix permissions are not as fine-grained as those of Windows NT/2000. The Unix write permission allows one to change and delete the object. This means that any file that can be written by the userID running the httpd can be changed/deleted, including log files. Again, if one can make absolutely sure that the user never gets to set filepaths, for example by using a hash to map an file ID to an actual file name, there's no problem in having users delete files. I just wanted to stress that one has to be very alert when writing this kind of scripts. Just my 2 cents, -gjb-
In Section
Seekers of Perl Wisdom
|
|