[vox-tech] Need help securing a simple perl CGI

Ryan vox-tech@lists.lugod.org
Sun, 17 Feb 2002 22:26:28 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a perl cgi script I wrote to allow me to have large html files on=
 my=20
web host without exceeding my storage quota.

I'd like it looked at, _I_ can no longer abuse it to run random commands =
or=20
go where I shouldn't, but that doesn't mean others can'.

Any other feedback would also be great.

#!/usr/bin/perl
#Let users transparently access files that are gzipped server-side
#Useful only to keep under my storage quota ;-)

my $in =3D $ENV{'QUERY_STRING'};=09=09# Handle CGI calls
$in =3D~ s/\+/ /g;=09=09=09# Replace '+' with ' '
$in =3D~ s/%(..)/pack("c",hex($1))/ge;=09# Undo URL quoting

$in =3D~ s/\.\.//g;=09=09=09# Foil Nasty h4x0rz trying to desend
=09=09=09=09=09# directories
$in =3D~ s/\\//g;=09=09=09=09# There is no need for backslashes!
$in =3D~ s/\'//g;=09=09=09=09# prevent h4x0rz from
=09=09=09=09=09# running commands like
=09=09=09=09=09# zcat.cgi?file=3Dfoo.html.gz';rm -rf *'

my %data =3D split (/=3D/, $in);=09=09# Make an array

my $file =3D $data{'file'};=09=09# get the name of the requested file

print "Content-Type: text/html\n\n";
# print `echo '$file'`;=09=09=09# debugging
print `zcat ~/WWW/'$file'`;=09=09# quotes prevent nastys.

- --=20
No Microsoft products were used in any way for the creation of this messa=
ge.
PGP Public key at http://mother.com/~ryan/ryan_at_mother_dot_com.asc
It is also on the servers: Key ID 0x72177BC7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD4DBQE8cJ6cEd9E83IXe8cRAq5qAJ9+/mIZVuwdV/uCwIzU4Cz1/Kp3bQCYrHty
tRBI7Iewb8CvWNC/kQE2DA=3D=3D
=3DWHOW
-----END PGP SIGNATURE-----