--- Lee Hoffner <[EMAIL PROTECTED]> wrote:
> Thanks, Curtis! Below is the script. (I hope it's clear!)
>
> ____________________________________________________
>
> #!/usr/local/bin/perl
[snip]
> use strict;
> use CGI qw/:standard/;
> my $dir = param('dir');
[snip]
> @filearray = opendir(D,$dir) or die $!;
Lee,
>From the snippet above, I can see that there is a significant issue here. Golden
>rules of CGI
security: never trust user input and never allow user input near the shell.
Syntax errors aside, in the above example, anyone can specify any path and they'll get
a list of
all jpegs and gifs. You probably don't want that. Also, if someone in the future
were to take
your script and modify it to serve all files, you'd have even worse problems. One of
the biggest
sources of security holes stems from scripts that did not, in and of themselves, have
problems,
but were coded with weaknesses and later modification to the scripts exposed the
weaknesses.
I took the liberty of recoding your program and testing it, though I've kept what you
were looking
for. The main thing I did is specify a list of *known good* directories in a hash.
If the
user-supplied directory is not a hash key, they don't get a list of files. From the
HTML end,
it's probably best to have a <select> box or something similar so the user doesn't
have to
(mis)type the directory name ever time.
#!/usr/local/bin/perl -wT
use strict;
use CGI::Pretty qw/ :standard *table /;
use CGI::Carp;
my $in_dir = param('dir');
# if $dir isn't a hash key, they can't open a directory
my %dirs = ( archimage1 => '/archives/1/',
archimage2 => '/archives/2/',
miscellaneous => '/images/misc/' );
my $dir;
$dir = $dirs{ $in_dir } if exists $dirs{ $in_dir };
#Verify that the requested directory exists.
if ( defined $dir ) {
opendir DIR, $dir or croak "Could not open $dir: $!";
my @imagefiles = grep /\.(gif|jpg)$/, readdir(DIR);
closedir DIR;
print header,
start_html( -title => 'Archives' ),
start_table;
for ( 0 .. $#imagefiles ) {
print Tr(
td(
img( { src => $dir . $imagefiles[ $_ ] } ),
)
);
}
#With the loop finished, the script finishes writing the HTML page.
print end_table,
end_html;
#Fail (somewhat) gracefully...
} else {
print header,
start_html( -title => 'Directory not found' ),
h3( "The directory could not be found " ),
end_html;
}
Also, I am painfully aware that not everyone likes CGI.pm's HTML shortcuts. Feel free
to remove
them and put your HERE docs back in :)
Hope this helps! If you have any other questions, let us know.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
