[Van-pm] CGI taint mode
Vincent Li
mcli at brc.ubc.ca
Tue Dec 6 16:16:19 PST 2005
> Vincent Li wrote:
> [...]
>> Now I understand, I rewrote the script as you said, it gives me "Global
>> symbol "$info" requires explicit package name....". I changed it to
>>
>> my $info = uploadInfo($file);
>> if ($info) {
>> print $info->{'Content-Type'};
>> }
>> else {
>> warn "can't find $file";
>> }
>>
>> then, no error complain, but nothing wrong with your declarartion of
>> $info. In error_log, it did say the file could not be found. What
>> reason cause the file not be found?
>
> I don't know. Check the guts of uploadInfo?
It must be my untaint regular expression did something wrong that
uploadInfo does not like
my $file = param('upload');
if ($file =~ /^([-\@\w.]+)$/) {
$file = $1;
}
else {
warn "invalid filename: $file"
}
If I remove the above chunk of script and not run on tained mode, the
script works fine.
Thanks Again, Stas.
More information about the Vancouver-pm
mailing list