Welcome to WebmasterWorld Guest from 23.22.46.195

Forum Moderators: coopster & jatar k & phranque

CGI and Linux

   
10:01 pm on Jun 1, 2005 (gmt 0)

10+ Year Member



I need help having CGI fetch pages/files in a selected directory...

Actually what my problem is is that I am using a cgi program called Webmin (google it) to host files at my school (I am a student) and I am trying to make it so that other students can upload files and such... but that's not THE problem. The problem is that the user files are stored outside of the directory that the server serves... ie /dir/users/ (the computer is running linux redhat)

If I had a script that could fetch files my problem would be solved... so have this script in the main server directory and then have it get files from another directory and display them (ie get.cgi?user=student&file=index.html)

Where student is the username (directory) and file is the file that you want...

thanks!

1:01 am on Jun 2, 2005 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



user=student&file=index.html)

if (-f "path_to_other/$qs{'student'}/$qs{'file'}") {
open(FILE,"path_to_other/$qs{'student'}/$qs{'file'}") or &error("Cannot open file: $!");
while ($line = <FILE>) { $out .= $line; }
close (FILE);

print "content-type: text/html\n\n";
print $out;
exit 0;
}
else { &error("File does not exist."); }

This is, of course, assuming your uid has permissions to read this other directory - if you do not, $! will tell you so. You can do this from a list or assemble some scheme for reading in multiple directories, but this should work.

6:32 am on Jun 2, 2005 (gmt 0)



Careful... it's really easy to shoot yourself in the foot doing something like this & open a significant security whole in your system.

Imagine if the user passed "file=../../../../etc/passwd"...

-Bill

4:43 pm on Jun 2, 2005 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Bills rool. :-) Well if an admin still has their passwd file named passwd and in the default location, and any uid has permissions to it, wouldn't you say they had it coming?

Even so, you're correct - what is required here is to cleanse the data, if the incoming query string is not within a list of valid directories, error out.

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month