[Van-pm] CGI taint mode
Stas Bekman
stas at stason.org
Mon Dec 5 18:43:09 PST 2005
Vincent Li wrote:
> Hello Vancouver PM:
>
> I read about Lincoln Stein's WWW Security FAQ. I am testing a sample
> upload.pl. While I turned on the taint mode, and did the taint check as
> following:
>
> ---------
> 35 if ($file =~ /^([-\@\w.]+)$/) {
> 36 $file = $1;
> 37 }
> 38 else {
> 39 error("invalid filename: $file");
> 40 }
> 41
add:
warn "Trying to upload file: $file\n";
before and after the above chunk and check error_log to make sure it's
there, it sounds like $file is undef in your case.
> 42 print h2('File name'),$file;
> 43 print h2('File MIME type'),
> 44 uploadInfo($file)->{'Content-Type'};
> ----------
>
> The script always give me error
>
> Software error:
> Can't use an undefined value as a HASH reference at test line 43.
line reporter is often skewed so most likely it talks about line 44 in
your code, if that's what confusing you, Vincent.
--
_____________________________________________________________
Stas Bekman mailto:stas at stason.org http://stason.org/
MailChannels: Assured Messaging(TM) http://mailchannels.com/
The "Practical mod_perl" book http://modperlbook.org/
http://perl.apache.org/ http://perl.org/ http://logilune.com/
More information about the Vancouver-pm
mailing list