[Van-pm] CGI taint mode
Stas Bekman
stas at stason.org
Tue Dec 6 16:18:53 PST 2005
Vincent Li wrote:
>>Vincent Li wrote:
>>[...]
>>
>>>Now I understand, I rewrote the script as you said, it gives me "Global
>>>symbol "$info" requires explicit package name....". I changed it to
>>>
>>>my $info = uploadInfo($file);
>>>if ($info) {
>>> print $info->{'Content-Type'};
>>>}
>>>else {
>>> warn "can't find $file";
>>>}
>>>
>>>then, no error complain, but nothing wrong with your declarartion of
>>>$info. In error_log, it did say the file could not be found. What
>>>reason cause the file not be found?
>>
>>I don't know. Check the guts of uploadInfo?
>
>
> It must be my untaint regular expression did something wrong that
> uploadInfo does not like
>
> my $file = param('upload');
> if ($file =~ /^([-\@\w.]+)$/) {
> $file = $1;
> }
> else {
> warn "invalid filename: $file"
> }
>
> If I remove the above chunk of script and not run on tained mode, the
> script works fine.
Then try to compare what the filename it gets while w/ -T and while w/o.
Basically you need to roll up your sleeves, get into uploadInfo's guts and
debug, either using print() calls or a perl debugger...
--
_____________________________________________________________
Stas Bekman mailto:stas at stason.org http://stason.org/
MailChannels: Assured Messaging(TM) http://mailchannels.com/
The "Practical mod_perl" book http://modperlbook.org/
http://perl.apache.org/ http://perl.org/ http://logilune.com/
More information about the Vancouver-pm
mailing list