download script for video files

Hi ! I want to write a script which makes it possible for the user to download special files, which normally would be opened by the web server. This is my solution, but the script just downloads
parts of files.... (mostly about 400 Bytes)

#! perl

  $x = $ENV{'PATH_INFO'};
  @values = split(/\&/,$x);
  ($dname,$trash)  = split(/&/,@values[0]);
  ($trash,$dname)  = split(/download\.pl/,$dname);
  ($trash,$endung) = split(/\./,$dname);


  $dname = '/www/milleniumserver/videotrading'.$dname;
#$dname =~ s/\//\\/g;

  open  (FILE, $dname) or &fehler;
  print "Content\-type\: application\/$endung\n\n";
  print join('',<FILE>);
  close (FILE);


  open  (STAT, '>>download.log');
  ($sek,$min,$std,$tag,$mon,$jahr) = localtime(time);
  print STAT "downloaded\: $dname\; $std\:$min\:$sek \/ $tag\.$mon\.$jahr\n";
  close(STAT);

sub fehler
{
  print "Content-type:text/html\n\n";
  print "\<h1\>Fehler \! Datei konnte nicht ge\รถ\;ffnet werden \! \($dname\)";
  die;
}


regards
ItsMe
ItsMeAsked:
Who is Participating?
 
ozoConnect With a Mentor Commented:
open (FILE, $dname) or &fehler;
binmode FILE;
binmode STDOUT;
print "Content-type: application/$endung\n\n";
print <FILE>;
close (FILE);

but that can be very dangerous if the client sends a PATH_INFO containing something like 'download.pl ; delete *.*|'
0
 
ItsMeAuthor Commented:
Edited text of question.
0
 
ozoCommented:
Depending on what operating system you're on, you may need
binmode

And you don't need to \quote - < > ! ( ) . in qq strings
0
2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

 
ItsMeAuthor Commented:
binmode ??? What di I have to change in the source ?

regards
ItsMe
0
 
ItsMeAuthor Commented:
why is it dangerous ? tell me. i'm new in perl. does the open command executes system commands ???
0
 
ozoCommented:
yes, see
perldoc -f open
0
 
ozoCommented:
A simple way to protect yourself from trying to open a system command would be to say:
  open(FILE, "<$dname") or &fehler;  

and by the way,cc
perl -Mdiagnostics -wc
($dname,$trash)  = split(/&/,@values[0]);
Scalar value @values[0] better written as $values[0] at - line 1 (#1)
   
    (W) You've used an array slice (indicated by @) to select a single element of
    an array.  Generally it's better to ask for a scalar value (indicated by $).
    The difference is that $foo[&bar] always behaves like a scalar, both when
    assigning to it and when evaluating its argument, while @foo[&bar] behaves
    like a list when you assign to it, and provides a list context to its
    subscript, which can do weird things if you're expecting only one subscript.
   
    On the other hand, if you were actually hoping to treat the array
    element as a list, you need to look into how references work, because
    Perl will not magically convert between scalars and lists for you.  See
    perlref.
0
All Courses

From novice to tech pro — start learning today.