CODEWITHSUNDEEP
perl
user2998119
user2998119

Reputation: 11

Perl CGI To Write File

I have written a Java Applet as a school project and I need a CGI file to create a file in the cgi-bin directory. The problem is when I run the code from the browser, the code executes but my file is not created with the variable name. Nothing is created. Here is the code

#!/usr/bin/perl -wT
use CGI;

print "content-type: text/plain\n\n";

my $q = CGI->new();
my $name = $q->param('username');
my $pw = $q->param('param');
my $bool = $q->param('bool');
my $rel = $q->param('rel');
my $ext = ".txt";
my $strt = "../cgi-bin/";
my $app = $strt . $name . $ext;

print $app;

open (FILE,'>',$app) or print "Error";
print FILE $pw . "\n";
print FILE $bool . "\n";
print FILE $rel;

close(FILE);

When I run the cgi it prints the $app variable and it is the correct address I want but the file is not created. If I change the line

open (FILE,'>',$app) or print "Error";

to

open (FILE,'>','../cgi-bin/test.txt') or print "Error";

it creates the file where I want it. Any ideas why this would happen when using the variable $app? Either way I never get Error printed to the browser.

SOLUTION: Thanks guys for the help. When using:

use CGI::Carp qw(fatalsToBrowser);

I got this error:

Content-type: text/html

<H1>Software error:</H1>
<PRE>Insecure dependency in open while running with -T switch
</PRE>
<P>
For help, please send mail to the webmaster (<a href="mailto:or webmaster">or webmaster</a>), giving this error message 
and the time and date of the error.

It seems it was not liking the -T. Once I removed that it worked. Thanks again

Upvotes: 1

Views: 1040

Answers (2)

Andy Lester
Andy Lester

Reputation: 93805

-T is Perl's "tainted data" flag. It stops you from doing unsafe operations with untrusted data. Yes, your script works without the -T flag, but now you have a very insecure script.

If someone passes in a username value of ../../../../../../../../home/badguy/secret, then you will write the username and password into secret.txt in badguy's home directory. -T prevents you from doing that. That's why -T exists.

Upvotes: 1

bluesman
bluesman

Reputation: 51

Why you use ../cgi-bin to write into cgi-bin ? Just use:

open (FILE, ">$name$ext") or die $!;

and use CGI::Carp qw(fatalsToBrowser); to carp fatals on the browser (suitable for this debug) with file creation

Upvotes: 3

Related Questions