Welcome to WebmasterWorld Guest from 54.146.221.231

Forum Moderators: coopster & jatar k & phranque

Message Too Old, No Replies

CGI and Linux

     
10:01 pm on Jun 1, 2005 (gmt 0)

New User

10+ Year Member

joined:Mar 19, 2004
posts:38
votes: 0


I need help having CGI fetch pages/files in a selected directory...

Actually what my problem is is that I am using a cgi program called Webmin (google it) to host files at my school (I am a student) and I am trying to make it so that other students can upload files and such... but that's not THE problem. The problem is that the user files are stored outside of the directory that the server serves... ie /dir/users/ (the computer is running linux redhat)

If I had a script that could fetch files my problem would be solved... so have this script in the main server directory and then have it get files from another directory and display them (ie get.cgi?user=student&file=index.html)

Where student is the username (directory) and file is the file that you want...

thanks!

1:01 am on June 2, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


user=student&file=index.html)

if (-f "path_to_other/$qs{'student'}/$qs{'file'}") {
open(FILE,"path_to_other/$qs{'student'}/$qs{'file'}") or &error("Cannot open file: $!");
while ($line = <FILE>) { $out .= $line; }
close (FILE);

print "content-type: text/html\n\n";
print $out;
exit 0;
}
else { &error("File does not exist."); }

This is, of course, assuming your uid has permissions to read this other directory - if you do not, $! will tell you so. You can do this from a list or assemble some scheme for reading in multiple directories, but this should work.

6:32 am on June 2, 2005 (gmt 0)

New User

joined:July 3, 2004
posts:8
votes: 0


Careful... it's really easy to shoot yourself in the foot doing something like this & open a significant security whole in your system.

Imagine if the user passed "file=../../../../etc/passwd"...

-Bill

4:43 pm on June 2, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Bills rool. :-) Well if an admin still has their passwd file named passwd and in the default location, and any uid has permissions to it, wouldn't you say they had it coming?

Even so, you're correct - what is required here is to cleanse the data, if the incoming query string is not within a list of valid directories, error out.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members