Transmit files by textarea ....

Hi ! I'm using perl to upload some textfiles which the user can paste into textareas. when the user transmits the files, every linebreak is doubbled at each upload ! Du you know why ?

regards
ItsMe

code:

    read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
    @pairs = split(/&/, $buffer);

    foreach $pair (@pairs) {
      ($name, $value) = split(/=/, $pair);
      $value =~ tr/+/ /;
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
      $value =~ s/~!/ ~!/g;
      $FORM{$name} = $value;
     }


...


$dbfile = $securedbpath.dshopid.'/header.txt';

open (ost, ">$dbfile");
  print ost $FORM{'header'};
close (ost);

ItsMeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ItsMeAuthor Commented:
I forgot to say that the pasted textfiles include html tags.
0
maneshrCommented:
try this.. it will work.
in addition to "uploading" the file, this script will do the proper DOS to UNIX conversion (remove CTRL M char). so you have the exact contents as the user type in the textbox.

=====================================
#!/usr/local/bin/perl

use CGI;

$query=new CGI;

$WebFileName = "uploadedfile.htm";

print "Content-type: text/html\n\n";
if ($query->param){ ##  The form has been submitted by user
  $text_message=$query->param('text_message');  ##  Read the CGI data

  open(MYFILE,"> /tmp/$WebFileName") || die $!;
  binmode MYFILE;

  $text_message=~ s/^M//g;
  print MYFILE $text_message."\n";

  close(MYFILE);
  `chmod 777 /tmp/$WebFileName`;
 
  print "<B>The text has been saved.</B><br>\n";
}

print "<HTML> <HEAD>";
print "<FORM NAME=rst ACTION=\"".$ENV{SCRIPT_NAME}."\"METHOD=POST>\n"
print "Enter search string: <textarea NAME=text_message cols=40 rows=5></textar
ea>\n";
print "<P><INPUT TYPE=SUBMIT VALUE=\"Upload Now!!\">\n";
print "</FORM>\n";
0
ItsMeAuthor Commented:
Hi ! Do u think this is the problem ? I'm using an NT Server.
0
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

ItsMeAuthor Commented:
I added the following part to my script:
$text_message=~ s/^M//g;

its still doesn't work. I don't know why but between some lines the script adds 20 line breaks or so....
0
maneshrCommented:
did you still get the extra lines with the script i gave you??

0
ItsMeAuthor Commented:
yes. I added the code-line which replaces the line breaks but I still get the extra lines.
0
maneshrCommented:
the problem is because of the way end of line is treated by DOS/Windows & unix. In UNIX the end of line is indicated by a newline character while in DOS/Windows its a combination ``carriage return - line feed''.

i think that it is this conversion that is not happening properly and therefore you have double blank lines.
0
ItsMeAuthor Commented:
So, is there a way to solve my problem ? As we all can see it works in EE !!!
0
maneshrCommented:
i am bit surprised now. in order to check if i could reproduce this problem on my system, i loaded a web server (Sambar4.2) on my PC with PERL 5.005.

Then i wrote a small .html file with a text area and a cgi script with the ability to read that text and store it in a file. All this is on Win NT4.0.

at the end i got the content exactly as the user entered, no double blank lines at all!!

here's the html file and cgi script, in case you want to refer to it.

===================================file.html
<HTML> <HEAD>
<FORM NAME=rst ACTION="/cgi-bin/file.pl" METHOD=POST>
Enter search string: <textarea NAME=text_message cols=40 rows=5>
</textarea>
<P><INPUT TYPE=SUBMIT VALUE="Upload Now!!">
</FORM>

===================================file.pl
        # Buffer the POST content
        read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

        # Process the name=value argument pairs
        my $pair;
        my $name;
        my $value;
        my @args = split(/&/, $buffer);

        foreach $pair (@args)
        {
                ($name, $value) = split(/=/, $pair);

                # Unescape the argument value
                $value =~ tr/+/ /;
                $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

                # Save the name=value pair for use below.
                $FORM{$name} = $value;
        }

print "Content-type: text/html\n\n";

open(TXT,">text.txt") || die $!;
binmode TXT;
print TXT $FORM{text_message}."\n";
close (TXT);
print "<B>$FORM{text_message}</B>\n";

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ItsMeAuthor Commented:
Hi maneshr ! Thank you. Now it works, I forgot to "binmode" the file. PS: Is there a security risk with my method ? perhaps when a user enters a system command in the textarea ?

regards
ItsMe
0
maneshrCommented:
you can mitigate the risk by...

escaping all "funny" chars like ` | etc...

2ndly when you store the file do not give execute permission to the file. that way no one can accidentally/intentionally execute the file.

i think since you are using textarea, you should be much safer than via the "Browse" button.
0
ItsMeAuthor Commented:
what do I need to write to make it safe ?
0
maneshrCommented:
as far as the uploaded files are concerned you should be safe so long as you disallow execution of that program.

Some very good things to do in PERL.

use perl with -T option (taint check)
do not show the location and/or name of the file to which you will be writing the user input,  to the user. At the very least, do not pass then as parameters to the URL (GET method).

the above will help you reduce the risks by a large percent.

Hope that helps
0
ItsMeAuthor Commented:
Yes, thanks !
What should be dangerous ? I save the files as .txt and just transmit them with textareas. Is it possible to enter system commands into textareas and then execute them even when the file is saved as .txt (in a secure directory which is just accessable by a script) ?
0
maneshrCommented:
> I save the files as .txt and just transmit them with textareas. Is it
>possible to enter system commands into textareas

yes, a user can enter anything, including system commands.

>and then execute them even when the file is
>saved as .txt (in a secure directory which is just accessable by a script) ?

No, the file cannot be executed since the user would have no access to it (in a secure directory which is just accessable by a script).

on a unix system file extensions are not a must for execution. so i can have a perl script with .txt extension that can still be executed!!

Dont worry, you are safe using the method that you have thought of.

0
ItsMeAuthor Commented:
why am I save ? What happens if a user types in dele *.* ?
0
maneshrCommented:
let the user type whatever he/she wants. you will not be executing the content, just saving it. so it doesnt make any difference!!

The bottomline is you are not allowing the user to upload a file, BUT only the contents. Thats why your are safe!!
0
ItsMeAuthor Commented:
thanks :-)
0
maneshrCommented:
you're welcome :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.