•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Perl section within the Software Development category of DaniWeb, a massive community of 391,705 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,191 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Perl advertiser:
Views: 4234 | Replies: 1
 |
•
•
Join Date: Jan 2007
Posts: 2
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
Hi,
I've been reading through some tutorials on creating a basic web upload script with perl and cgi. The problem is that my server keeps throwing an Internal Server Error 500 without giving any feedback. I am hoping that someone has run into a similar problem or there is an obvious problem with my script. Here is the form script on the html document (/var/www/apache2-default/projects/music/music.html):
My httpd.conf for Apache2:
And my actual upload.cgi file:
All folders and files have been chmoded to 755 for all user execution. Even so, it seems like the httpd.conf points to the correct directory to allow cgi execution, but there has to be something wrong with the upload.cgi script.
I've been reading through some tutorials on creating a basic web upload script with perl and cgi. The problem is that my server keeps throwing an Internal Server Error 500 without giving any feedback. I am hoping that someone has run into a similar problem or there is an obvious problem with my script. Here is the form script on the html document (/var/www/apache2-default/projects/music/music.html):
<FORM ACTION="upload.cgi" METHOD="POST" ENCTYPE="multipart/form-data">
Song to Upload: <INPUT TYPE="file" NAME="song">
<br>
<INPUT TYPE="submit" NAME="Submit" VALUE="Submit Form">
</FORM>
My httpd.conf for Apache2:
<Directory /var/www/apache2-default/projects/music/>
Options FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>And my actual upload.cgi file:
#!/usr/bin/perl -w
use CGI;
$upload_dir = "/apache2-default/projects/music/upload";
$query = new CGI;
$filename = $query->param("song");
$filename =~ s/.*[\/\\](.*)/$1/;
$upload_filehandle = $query->upload("song");
open(UPLOADFILE, ">$upload_dir/$filename") or die "Can't open '$upload_dir/$filename': $!";
binmode UPLOADFILE;
while ( <$upload_filehandle> )
{
print UPLOADFILE;
}
close UPLOADFILE;
All folders and files have been chmoded to 755 for all user execution. Even so, it seems like the httpd.conf points to the correct directory to allow cgi execution, but there has to be something wrong with the upload.cgi script.
•
•
Join Date: Jun 2006
Location: UK (Bristol)
Posts: 225
Reputation:
Rep Power: 3
Solved Threads: 1
Posting Whiz in Training
First, it would be highly advisable to start your Perl script like this:
I know you used warnings with the -w flag already, but adding strict will help with debugging as well. Also, you "MUST" use the -T flag as shown to enable taint mode, or mistakes in your code could turn into gaping security holes. DO NOT leave all your folders and files at the 755 permission setting. Only a CGI script you want to be executable by a HTTP request should have these permissions. All other files should not allow anything else but read permission to "other" or "world" users (i.e. 4 as the last permission digit).
If there is a file called something like "cgierror.log" in the "logs" directory on the server, compile and run time errors may be collected here. You have not validated the user input sufficiently before passing it to open. This
means, match some stuff then capture anything any number of times and set $filename to this. This means someone could pass virtually anything into open(FILEHANDLE,....). Including of course ">my_file", which will delete the contents of any file a hacker chooses. Instead try,
The regex will remove any shell meta characters (<>) from the name supplied. I think it's best to use the three parameter form of open shown, as it's safer by not allowing user data to set the open mode. Finally, if it's just a text field you want to gather with your form, put:
I don't think type="file" is valid HTML.
Steven.
perl Syntax (Toggle Plain Text)
I know you used warnings with the -w flag already, but adding strict will help with debugging as well. Also, you "MUST" use the -T flag as shown to enable taint mode, or mistakes in your code could turn into gaping security holes. DO NOT leave all your folders and files at the 755 permission setting. Only a CGI script you want to be executable by a HTTP request should have these permissions. All other files should not allow anything else but read permission to "other" or "world" users (i.e. 4 as the last permission digit).
If there is a file called something like "cgierror.log" in the "logs" directory on the server, compile and run time errors may be collected here. You have not validated the user input sufficiently before passing it to open. This
perl Syntax (Toggle Plain Text)
means, match some stuff then capture anything any number of times and set $filename to this. This means someone could pass virtually anything into open(FILEHANDLE,....). Including of course ">my_file", which will delete the contents of any file a hacker chooses. Instead try,
perl Syntax (Toggle Plain Text)
The regex will remove any shell meta characters (<>) from the name supplied. I think it's best to use the three parameter form of open shown, as it's safer by not allowing user data to set the open mode. Finally, if it's just a text field you want to gather with your form, put:
HTML Syntax (Toggle Plain Text)
I don't think type="file" is valid HTML.
Steven.
Hello, you're through to Steven on the BT Business technical help desk. Could I take your broadband telephone number please?
|
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
•
•
•
•
•
•
•
•
DaniWeb Perl Marketplace
Linear Mode
•
•
•
•
adsl adsl2 adsl2+ advertising blog browser cable community company data design development domains firefox google intel internet kb kbps legal linux marketing mbit microsoft monetization mozilla multimedia network news per php privacy report research rss search second security software testing upload video w3c web web development webmaster wiki xml yahoo 240000
- Writing to an Access Database (Visual Basic 4 / 5 / 6)
- Please help!!! Upload script.. (PHP)
- I get the error no file or directory when i try to run a perl script (Perl)
- Looking for a basic free announcements php script (Existing Scripts)
- Upload/Download Script... with compression? (PHP)
- i get an error while trying to run perl on win98 (Perl)
Other Threads in the Perl Forum
- Previous Thread: Making global constants/Making constants global
- Next Thread: Creating a Robust Logout System
