Solved

rename an uploaded file with cgi-lib.pl

Posted on 1997-03-11
4
289 Views
Last Modified: 2013-12-25
I make correctly the upload of a file using the cgi-lib.pl,
but I would like to obtain on the server the file with the
originary name.
I can do the renaming only using a constant string in this way:
 rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."gilo";

but doing it using a variable string causes an error:
rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."$cfn";

The error_log file says:
Insecure dependency in rename while running with -T switch at /home/gilo/cgi-bin/UpJust.cgi line 39.
access to /home/gilo/cgi-bin/UpJust.cgi failed
reason: malformed header from script

Do someone know how to avoid this kind of error?
0
Comment
Question by:gilo
  • 2
4 Comments
 
LVL 3

Expert Comment

by:pc012197
ID: 1827750
Hi there... we've met before, haven't we? :-)

The following is from the perl documentation ('man perlsec'):

When executing a setuid script, or when you have turned on taint checking explicitly using the -T flag, Perl takes special precautions to prevent you from falling into any obvious traps.  (In some ways, a Perl script is more secure than the corresponding C program.)  Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.

As I see it the only way to avoid the error in your script is to take out the -T option.

0
 

Author Comment

by:gilo
ID: 1827751
Hi pc, how are you?
I would have continued our previous history but in the old page disappeared the form
to send other comments, so I had to send another question, but I'm happy to have
found you again because you already know my problem.

I just would like to know where have I to add this -T flag.
I call the cgi program from the browser, then in the program I call the Readparse
routine of cgi-lib.pl and the program make the uploading.

I can't imagine where I can insert this flag.

Be patient with me  :-)

Ciao  
0
 

Author Comment

by:gilo
ID: 1827752
I'm still waiting for an answer
0
 
LVL 1

Accepted Solution

by:
Fordream earned 150 total points
ID: 1827753
Hello, pc!
 AS you the error occurs because '-T', the taint-check option is enabled. But you don't know that where is it inserted? Okay?
 I know that '-T' option automatically is inserted when security is needed like when script is setuided or ALSO CGI.
 While this option is enabled, 'Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.'. You violated that.
 To go on, you should secure that. To see how to secure, I recommand you to see man page about 'perlsec', the perl security. if you can't find that. Reply me. then I'll post that.

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Making a simple AJAX shopping cart Couple years ago I made my first shopping cart, I used iframe and JavaScript, it was very good at that time, there were no sessions or AJAX, I used cookies on clients machine. Today we have more advanced techno…
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now