[Van-pm] CGI taint mode
Vincent Li
mcli at brc.ubc.ca
Tue Dec 6 11:31:07 PST 2005
> Vincent Li wrote:
>> Hello Vancouver PM:
>>
>> I read about Lincoln Stein's WWW Security FAQ. I am testing a sample
>> upload.pl. While I turned on the taint mode, and did the taint check as
>> following:
>>
>> ---------
>> 35 if ($file =~ /^([-\@\w.]+)$/) {
>> 36 $file = $1;
>> 37 }
>> 38 else {
>> 39 error("invalid filename: $file");
>> 40 }
>> 41
>
> add:
>
> warn "Trying to upload file: $file\n";
>
> before and after the above chunk and check error_log to make sure it's
> there, it sounds like $file is undef in your case.
>
I put your line after the chunk, error_log shows:
[Tue Dec 6 11:18:31 2005] test: Use of uninitialized value in hash
element at (eval 31) line 3.
[Tue Dec 6 11:18:31 2005] test: Can't use an undefined value as a HASH
reference at test line 43.
>> 42 print h2('File name'),$file;
What confused me is line 42 print out the filename in browser, my guess is
$file is defined
>> 43 print h2('File MIME type'),
>> 44 uploadInfo($file)->{'Content-Type'};
But line 44 uploadinfo function see $file as undefined. line 42 and 44 are
in the same scope, I don't understand why line 42 and 44 see $file
differently.
>> ----------
>>
>> The script always give me error
>>
>> Software error:
>> Can't use an undefined value as a HASH reference at test line 43.
>
> line reporter is often skewed so most likely it talks about line 44 in
> your code, if that's what confusing you, Vincent.
>
> --
> _____________________________________________________________
> Stas Bekman mailto:stas at stason.org http://stason.org/
> MailChannels: Assured Messaging(TM) http://mailchannels.com/
> The "Practical mod_perl" book http://modperlbook.org/
> http://perl.apache.org/ http://perl.org/ http://logilune.com/
Thanks Stas.
--
Vincent Li
System Admin, UBC
http://mcli.homelinux.org:8080
More information about the Vancouver-pm
mailing list