[vox-tech] Need help securing a simple perl CGI

Ryan vox-tech@lists.lugod.org
Wed, 20 Feb 2002 17:16:42 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have re-writen this script so that it does not take in the file name di=
rectly, but instead reads in a number and gets the file name from an exte=
rnal config file.

I still need to figure out how to get it to work with non-html mime types=
=2E



#!/usr/bin/perl

# Perl CGI script to decompress gzip'd html files on-the-fly to
# save disk space on the server. This will likely slow things
# a bit...

# Edit line 13 to if needed. files.lst should contain one file name per l=
ine, with
# path relitive to $filepath. The first entry is called with 'decomp.pl?f=
ilenum=3D0',
# the second with 'decomp.pl?filenum=3D1', etc. First entry shoul be an e=
rror page.

use CGI::Carp qw(fatalsToBrowser);                      # Tell user if we=
 crap out.

my $filepath =3D "/var/home/ryan/WWW/";                   # Set to your w=
eb directory

my $request;

if ($ENV{'REQUEST_METHOD'} eq "GET") {                  # Was this 'GET' =
request?
        $request =3D $ENV{'QUERY_STRING'};                # Store query s=
tring
        $request =3D~ s/\+/ /g;                           # undo encoding
        $request =3D~ s/%(..)/pack("c",hex($1))/ge;       # ditto
} else {
        $request =3D ;                            # Handle a POST request
}

open(FILES, 'files.lst')                                # open the file l=
ist
        or die "Can't open files.lst: $!";              # whine and die i=
f fail

my %data =3D split (/=3D/, $request);                       # Turn the re=
quest into a hash
my @filelist =3D ;                                        # Put file list=
 into array
my $pagenum =3D $data{'page'};                            # What file num=
 does user want?
my $filename =3D $filelist[$pagenum];                     # Get the neede=
d entry
my $filename =3D "$filepath"."$filename";                 # Merge root pa=
th into file name
                                                        # There ought to =
be error handling here

print "Content-Type: text/html\n\n";                    # Tell browser to=
 render html
print `zcat $filename`;                                 # Decompress and =
output the file


- --=20
No Microsoft products were used in any way for the creation of this messa=
ge.
PGP Public key at http://mother.com/~ryan/ryan_at_mother_dot_com.asc
It is also on the servers: Key ID 0x72177BC7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8dEqFEd9E83IXe8cRAjofAKCm6zmlrVXJFOehhpVx397aeK3MIQCeLsIH
kUY3Lll0uB9p4gE4HpyK4Zs=3D
=3Dpjee
-----END PGP SIGNATURE-----