Permission problem with CGI script

Tom Hukins tom at eborcom.com
Thu Jul 15 02:20:14 PDT 2010


On Thu, Jul 15, 2010 at 10:45:46AM +0200, Jan Henning Thorsen wrote:
> Just as a side note: I would suggest using three-way open, especially
> when working with web-apps:
> 
>  open my $FH, $mode, $file or die "Could not $mode $file: $!";

I also suggest using three argument open, as it separates the
different things you care about, rather than joining together the mode
and file as one argument.  It's been around since Perl 5.6:
http://search.cpan.org/~jesse/perl-5.12.1/pod/perl56delta.pod#open%28%29_with_more_than_two_arguments

I'd make the code even more readable by removing the "or die.." clause
so you can see the program's intent clearly without having to read
about what it might do if it doesn't work.

Of course, that means you ignore any failure to open the file.  If
you're using a recent version of Perl, use autodie (it's in core since
5.10); if you're using an older version use Fatal (it's in core since
5.003).  Both of them automatically throw errors for you, making your
code cleaner.

> also, using a -X test on the file before appending to it can be
> smart to avoid users from passing in \0 characters, which open()
> will...uhm...I cannot remember, but there (at least used to be) some
> weird security flaw by passing \0 to open in the $file parameter.

I like writing as little code as possible to do the job, and I don't
see what this achieves.  I can't find a CVE that mentions the \0
vulnerability:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=perl

So I'd treat this as "not a problem" until someone points me towards
evidence.

Tom


More information about the MiltonKeynes-pm mailing list