Solved

rename an uploaded file with cgi-lib.pl

Posted on 1997-03-11
4
290 Views
Last Modified: 2013-12-25
I make correctly the upload of a file using the cgi-lib.pl,
but I would like to obtain on the server the file with the
originary name.
I can do the renaming only using a constant string in this way:
 rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."gilo";

but doing it using a variable string causes an error:
rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."$cfn";

The error_log file says:
Insecure dependency in rename while running with -T switch at /home/gilo/cgi-bin/UpJust.cgi line 39.
access to /home/gilo/cgi-bin/UpJust.cgi failed
reason: malformed header from script

Do someone know how to avoid this kind of error?
0
Comment
Question by:gilo
  • 2
4 Comments
 
LVL 3

Expert Comment

by:pc012197
ID: 1827750
Hi there... we've met before, haven't we? :-)

The following is from the perl documentation ('man perlsec'):

When executing a setuid script, or when you have turned on taint checking explicitly using the -T flag, Perl takes special precautions to prevent you from falling into any obvious traps.  (In some ways, a Perl script is more secure than the corresponding C program.)  Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.

As I see it the only way to avoid the error in your script is to take out the -T option.

0
 

Author Comment

by:gilo
ID: 1827751
Hi pc, how are you?
I would have continued our previous history but in the old page disappeared the form
to send other comments, so I had to send another question, but I'm happy to have
found you again because you already know my problem.

I just would like to know where have I to add this -T flag.
I call the cgi program from the browser, then in the program I call the Readparse
routine of cgi-lib.pl and the program make the uploading.

I can't imagine where I can insert this flag.

Be patient with me  :-)

Ciao  
0
 

Author Comment

by:gilo
ID: 1827752
I'm still waiting for an answer
0
 
LVL 1

Accepted Solution

by:
Fordream earned 150 total points
ID: 1827753
Hello, pc!
 AS you the error occurs because '-T', the taint-check option is enabled. But you don't know that where is it inserted? Okay?
 I know that '-T' option automatically is inserted when security is needed like when script is setuided or ALSO CGI.
 While this option is enabled, 'Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.'. You violated that.
 To go on, you should secure that. To see how to secure, I recommand you to see man page about 'perlsec', the perl security. if you can't find that. Reply me. then I'll post that.

0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get a (Blue Screen of Death), your system writes a small file called a minidump. Your first step is to make certain your computer is setup to record memory dumps. Right click My Computer, choose properties. Click on the advanced tab, an…
It is a general practice to get rid of old user profiles on a computer  in a LAN environment. As I have been working with a company in a LAN environment where users move from one place to some other place at times. This will make many user profil…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now