David M. Dantowitz" <david@dantowitz.com> wrote: >Here's a simple script that was a hack/port from a standard form to mail >script... we usually don't do a lot of Perl scripts on NT systems, but >this one is destined for such a box rather than a MacOS machine. > >#!/usr/local/bin/perl use at least -w (warning) in this line to catch silly programming errors that might also open security wholes. if you want security, you need also put on Taint Check. ># Temporary quick port of a form to email script. Instead, this ># now simply appends answers to the messages file in the ># cgi-bin folder. Bad Idea. Now I can download all your mail by putting in the URL dantowitz.com/cgi-bin/messages in my favorite browser. >foreach $pair (@nvpairs) >{ > ($name, $value) = split(/=/, $pair); > > $value =~ tr/+/ /; > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; > > $FORM{$name} = $value; >} You are doing this conversion two times. > open (MAIL, ">>messages") || die "can't append to file messages.\n"; hard code the path to the message file. it must be somewhere outside the document hierachy of the webserver. Sometimes the current directory is not what you expect it to be. ( If I open a script with MacPerl, the current dir is the dir of the script. If I open it with Alpha and run MacPerl from Alpfa via Apple Event, the current dir is the MacPerl dir.) ># Go to the result page based on the value from the form ># >print "Location:$FORM{'redirect'}\n\n"; This might be a problem, because $FORM{'redirect'} may changed by a user to wired values full of escape sequences. But I don't see how someone can use this to open a security whole. regards Karsten Meier --------------------------------------------------------------------- Karsten Meier WWW: http://meier-online.com with following highlights: * German MacPerl Primer * XTensions for use with QuarkXPress EMail krstnmr@ibm.net Unsolicited and/or commercial email is not permitted at this address. ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch