Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??

I waited with posting this until you'd taken down your script, which it seems you've done now, because it contains at least one classic and major security issue: As I've described in my node here, allowing practically unfiltered user input to be used directly in backticks allows anyone to execute arbitrary shell commands on your server. (Not to mention the fact that this script is basically a proxy open to everyone, which is an issue by itself.)

For example, a QUERY_STRING of example.com%22%3Bcat+%22%2Fetc%2Fpasswd would have caused the script to execute the shell command wget ... "http://example.com";cat "/etc/passwd". I hope you see the major problem with that or any other arbitrary command.

I've also commented on your style of reinventing all the wheels before. I don't do this just for the sake of the criticism itself or because I want to discourage learning or take from any enjoyment you might get from writing code in this style - I'm very much a fan of TIMTOWTDI - and if you want to write these scripts like this for yourself, that's fine. But as soon as you put these into some kind of "production", what I've said before become real issues: the more code your write yourself, the more code you have to test and maintain*. (And for asking questions, it gives others much more code to wade through.)

And if you expose this to the world, there's the added issue of having much more code to secure properly. And with security issues, your site can quickly become the next spam relay or home for scammers, so it affects everyone.

If you're going to be putting stuff online like this, I implore you to use the proper modules and follow the best practices for security.

* Just for example, your sub unescape contains at least one bug: If the input string starts with a %HH encoded character, that is skipped, because my $i = index( $X, '%' ) >= 0 || return $X; doesn't actually get the index, $i will always be the return value of the logical expression. Every single one of your obfuscated subs has a corresponding function in a popular, well-maintained module, or in the Perl core itself.

In reply to Re: wget not working from perl by haukex
in thread wget not working from perl by harangzsolt33

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others learning in the Monastery: (1)
As of 2024-04-19 00:06 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found