We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

rename an uploaded file with cgi-lib.pl

gilo
gilo asked
on
Medium Priority
377 Views
Last Modified: 2013-12-25
I make correctly the upload of a file using the cgi-lib.pl,
but I would like to obtain on the server the file with the
originary name.
I can do the renaming only using a constant string in this way:
 rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."gilo";

but doing it using a variable string causes an error:
rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."$cfn";

The error_log file says:
Insecure dependency in rename while running with -T switch at /home/gilo/cgi-bin/UpJust.cgi line 39.
access to /home/gilo/cgi-bin/UpJust.cgi failed
reason: malformed header from script

Do someone know how to avoid this kind of error?
Comment
Watch Question

Commented:
Hi there... we've met before, haven't we? :-)

The following is from the perl documentation ('man perlsec'):

When executing a setuid script, or when you have turned on taint checking explicitly using the -T flag, Perl takes special precautions to prevent you from falling into any obvious traps.  (In some ways, a Perl script is more secure than the corresponding C program.)  Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.

As I see it the only way to avoid the error in your script is to take out the -T option.

Author

Commented:
Hi pc, how are you?
I would have continued our previous history but in the old page disappeared the form
to send other comments, so I had to send another question, but I'm happy to have
found you again because you already know my problem.

I just would like to know where have I to add this -T flag.
I call the cgi program from the browser, then in the program I call the Readparse
routine of cgi-lib.pl and the program make the uploading.

I can't imagine where I can insert this flag.

Be patient with me  :-)

Ciao  

Author

Commented:
I'm still waiting for an answer
Commented:
Hello, pc!
 AS you the error occurs because '-T', the taint-check option is enabled. But you don't know that where is it inserted? Okay?
 I know that '-T' option automatically is inserted when security is needed like when script is setuided or ALSO CGI.
 While this option is enabled, 'Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.'. You violated that.
 To go on, you should secure that. To see how to secure, I recommand you to see man page about 'perlsec', the perl security. if you can't find that. Reply me. then I'll post that.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.