Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Matt's WebShop part 3

Posted on 1999-07-03
13
Medium Priority
?
257 Views
Last Modified: 2012-05-04
I'm working with Matt's WebShop.cgi from the Perl Cookbook. I have four issues that I need to address. Each issue is posted as a separate question. The script is to long to post here. Working examples of what I have and the issues can be found at http://www.fishhead.com/webshop.html. There is also a link to the scripts at this page. Even though the script is long it is well commented as to each section.

I don't like the fact that the script displays the Unix path to each file and directory in the browser. You can see this when you enter the WebShop example I have up. This seems to be a security problem to me. I would like to avoid giving that information to the browser if possible. I've seen scripts that only display the name of the script with each function.
0
Comment
Question by:Gary040897
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
13 Comments
 
LVL 5

Expert Comment

by:prakashk021799
ID: 1213763
If you do not want path names to appear, then remove the path names in your starting page (http://www.fishhead.com/webshop.html).

For example, change:

http://www.fishhead.com/cgi-bin/WebShop.cgi?config=/export/home4/gold/e/et/webshop/config.txt

to:

http://www.fishhead.com/cgi-bin/WebShop.cgi?config=config.txt

In your CGI script, when you read the value for 'config' parameter, prepend the value of $CONFIG_DIR to it to get the full path for the config file. Change following (lines 106 and 107) in WebShop.cgi:

    if ($FORM{'config'} !~ /^$CONFIG_DIR/) { &ws_error('config_file_dir') }
    else { eval "require '$FORM{'config'}'"; if ($@) { &ws_error($@) } }

To:

    if ($FORM{'config'}) {
        my $config_file = "$CONFIG_DIR/$FORM{'config'}";
        unless (-f $config_file) { &ws_error('config_file'); }
        eval "require '$config_file'";
        if ($@) { &ws_error($@) }
    }

Now $FORM{'config'} has only the config file name and not the full path. Only your script knows the full path. Since, $FORM{'config'} does not have the directory name in it, you will need to remove the checking of directory name in the subroutine ws_error.



0
 

Author Comment

by:Gary040897
ID: 1213764
That gave me an error message generated by WebShop.cgi "WebShop Error: Invalid Config File". The message said I needed to chomd config.txt to 644. I already did that. I did it again to be sure and still got the same message.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1213765
Please don't eval a user supplied string.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 5

Expert Comment

by:prakashk021799
ID: 1213766
Refer to the last line of my earlier comment, about removing the check for directory name in $FORM{'config'}.

In the subroutine ws_error, you need to change the code (lines 1025 to 1051) to the following:

        if ($FORM{'config'}) {
            if ( -e "$CONFIG_DIR/$FORM{'config'}) {
                 ...
            } else {
                 ...
            }
        }

The check for directory name ($FORM{'config'} !~ /^$CONFIG_DIR/) is no longer needed, since you are getting only the file name from the link.
0
 

Author Comment

by:Gary040897
ID: 1213767
I now get Internal Server Error
0
 

Author Comment

by:Gary040897
ID: 1213768
Is there another way to do this without eval?
0
 
LVL 5

Expert Comment

by:prakashk021799
ID: 1213769
Yo do not need eval at all in this situation. You can just say:

require $config_file;

But if you want use eval, it would be safer to check the value in the variable for any unwanted characters and reject the value if not valid.
0
 

Author Comment

by:Gary040897
ID: 1213770
I want to use whatever method is the most secure. I would like to prevent arbitrary strings from being entered. I also would not like to provide a way for the user to check what files exist on my system. I don't know the best way to accomplish this.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1213771
You might keep a table of valid files to use in your program,
and just let the user send an index into that table.
0
 
LVL 5

Expert Comment

by:prakashk021799
ID: 1213772
That's one idea. If you want to get file names only, then you could check to make sure the value of $config_file has only alphanumeric characters and possibly a period, but no metacharacters like ;, *, ? etc.
0
 

Author Comment

by:Gary040897
ID: 1213773
Any suggestions for a script modification using table idea?
0
 

Author Comment

by:Gary040897
ID: 1213774
For prakashk:

Some other modifications made by other people to allow for adding multiple products to the invoice with a single add button had the config file error checking commented out. Now with your first suggestion implemented I don't have the problem anymore. What I have is now as follows.

    if ($FORM{'config'}) {
          my $config_file = "$CONFIG_DIR/$FORM{'config'}";
          unless (-f $config_file) { &ws_error('config_file'); }
          eval "require '$config_file'";
          if ($@) { &ws_error($@) }
    }

#}
#else {
#    &ws_error('config_file');
#}

If you will propose and answer I can accept it.
0
 
LVL 5

Accepted Solution

by:
prakashk021799 earned 1600 total points
ID: 1213775
> If you will propose and answer I can accept it.

OK. Here it is.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many situations when we need to display the data in sorted order. For example: Student details by name or by rank or by total marks etc. If you are working on data driven based projects then you will use sorting techniques very frequently.…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Six Sigma Control Plans

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question