homepage Welcome to WebmasterWorld Guest from 54.211.7.174
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
Forum Library, Charter, Moderators: coopster & jatar k & phranque

Perl Server Side CGI Scripting Forum

    
CGI and Linux
sabongio




msg:438171
 10:01 pm on Jun 1, 2005 (gmt 0)

I need help having CGI fetch pages/files in a selected directory...

Actually what my problem is is that I am using a cgi program called Webmin (google it) to host files at my school (I am a student) and I am trying to make it so that other students can upload files and such... but that's not THE problem. The problem is that the user files are stored outside of the directory that the server serves... ie /dir/users/ (the computer is running linux redhat)

If I had a script that could fetch files my problem would be solved... so have this script in the main server directory and then have it get files from another directory and display them (ie get.cgi?user=student&file=index.html)

Where student is the username (directory) and file is the file that you want...

thanks!

 

rocknbil




msg:438172
 1:01 am on Jun 2, 2005 (gmt 0)

user=student&file=index.html)

if (-f "path_to_other/$qs{'student'}/$qs{'file'}") {
open(FILE,"path_to_other/$qs{'student'}/$qs{'file'}") or &error("Cannot open file: $!");
while ($line = <FILE>) { $out .= $line; }
close (FILE);

print "content-type: text/html\n\n";
print $out;
exit 0;
}
else { &error("File does not exist."); }

This is, of course, assuming your uid has permissions to read this other directory - if you do not, $! will tell you so. You can do this from a list or assemble some scheme for reading in multiple directories, but this should work.

wdr1




msg:438173
 6:32 am on Jun 2, 2005 (gmt 0)

Careful... it's really easy to shoot yourself in the foot doing something like this & open a significant security whole in your system.

Imagine if the user passed "file=../../../../etc/passwd"...

-Bill

rocknbil




msg:438174
 4:43 pm on Jun 2, 2005 (gmt 0)

Bills rool. :-) Well if an admin still has their passwd file named passwd and in the default location, and any uid has permissions to it, wouldn't you say they had it coming?

Even so, you're correct - what is required here is to cleanse the data, if the incoming query string is not within a list of valid directories, error out.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved