I've been trying to harden a web application which accepts user uploaded files. The main part of this is to check the filenames and filetypes for any obvious mischeif. To this end I created a test folder full of nasty files with horrible names and tested these against my code improving it all the time.
Heres a list of some of the evil files:
I admit theres not much method in my madness, most are just random names with as much naughtyness as I can think of. I got the code to handle 99% of all such files but there is ONE that I just cant seem to deal with.
As you can see its nothing special to look at, just 6 quotes, but this seems to choke CGI method using the following line:
$uploadpicname = $query->param('ulpic');
the resulting contents of $uploadpicname always devastate my code, I've even had a core dump as a result, I think the variable ends up full of binary from some memory area because the size of it is huge and consists of many weird and non printable characters.
For what its worth heres the Perl code for sanitising the filenames. I would welcome any advice or oppinions on how to tighten this up more, but I do beleive its CGI not my code thats the problem. Forgive the style im a C programmer
I am trying to get my MacBook Pro with 10.8 Mt Lion set up to run Perl CGI scripts.
Having a problem. I can start Apache Web Server with no problems.
Why do I put the static and dynamic scripts? I which directory?
I have looked at this article:... (3 Replies)
Hi All,
I am trying to write a shell script which takes parse the web form find the input field and dump the data of that field into one xml file. The form looks like,
<input type="button" id="btnSave" value="Save" onclick="saveXmlData()"/>
<form name="submitForm"... (1 Reply)
Hi Team,
I am trying to connect to database(succeeded ) and print the records on the browser using while loop. But the elements of array are not displayed instead while loop is displayed directly. Instead of the below I can embed html statements in print but I am looking for the below style as I... (1 Reply)
Hi All,
I have written an cgi perl script that displays an image(Excel image) and when clicked on that Image I need to download a excel sheet.
I made sure that excel sheet exists in the folder with the given name but still I am not able to download the sheet.
print "<center><table... (2 Replies)
Hi team,
I have a typical problem with cgi pages in apache webserver in WINDOWS
I am able to execute(display) the pages that are saved in cgi-bin folder.
But I am not able to execute the pages stored in htdocs or other folder other than cgi-bin folder.
Could anyone please let me know how... (1 Reply)
Can anyone tell me how to export a variable from one perl CGI script to another perl cgi script when using a redirect.
Upon running the login.pl the user is prompted to enter user name and password. Upon entering the correct credentials (admin/admin) the user is
redirected to welcome page.
My... (3 Replies)
I am currently running unix open server 6.0 on a Dell Power Edge R720. The system will be running fine when the blue screen appears and states the system has performed a physical memory dump in # of ticks. I reboot the system and all looks well. Running diagnostics does not show anything wrong. The... (1 Reply)
i am getting memory fault (core dump) in a C program
i want to know which statement execution caused it.
i tried following things
$ gdb generalised_tapinread_mod
HP gdb 5.4.0 for HP Itanium (32 or 64 bit) and target HP-UX 11.2x.
Copyright 1986 - 2001 Free Software Foundation, Inc.... (2 Replies)
my box is FreeBSD4.3 and I use Perl 5.0005_03.
Here is the CGI script.
test.cgi
......
if ($query->action eq 'detail') {
......
print $query->hidden('action', 'modify');
......
}
I found that the result of
test.cgi?action=detail
is not what I expected.
the script does not... (4 Replies)