firefox could open my cgi, IE will be dead, why?

[robertchen117]

my cgi is very simple, just output the file's content. the file name
is from another cgi's parameter.

If I use firefox visist the page, no issues at all! Everything looks
great. But if I use Internet Explorer, the cgi will make IE to die.
Please help me.

#!/tivoli/vendor/perl/bin/perl
use CGI;
#rchen on 4/10

my $cgi = new CGI;
print $cgi->header(-type=>"text/html", -expires=>'now');
print $cgi->start_html("Details of the configurations");

my $logfile = $cgi->param('logfile');
open(DATA, "$logfile")|| die("File is not exist!\n");

@lines = <DATA>;

foreach $line (@lines) {
print "<PRE>$line <\PRE>";
}

close(DATA);
print $cgi->end_html;

 

[cipher]

Hi!

You sent a "text/html" document, so you should directly read from the
file and write to the html stream. The text may contain some
characters with special meaning for html (like "&"). Apply the
function encode_entities to the data before printing.

Greeting from Bavaria,

Markus

 

[Gunnar Hjalmarsson]

my cgi is very simple, just output the file's content. the file name
is from another cgi's parameter.

If I use firefox visist the page, no issues at all! Everything looks
great. But if I use Internet Explorer, the cgi will make IE to die.
Please help me.

Enable warnings (and strictures), and Perl will help you find the problem.

 

[patrick]

my cgi is very simple, just output the file's content. the file name
is from another cgi's parameter.

If I use firefox visist the page, no issues at all! Everything looks
great. But if I use Internet Explorer, the cgi will make IE to die.
Please help me.

#!/tivoli/vendor/perl/bin/perl
use CGI;
#rchen on 4/10

my $cgi = new CGI;
print $cgi->header(-type=>"text/html", -expires=>'now');
print $cgi->start_html("Details of the configurations");

my $logfile = $cgi->param('logfile');
open(DATA, "$logfile")|| die("File is not exist!\n");

@lines = <DATA>;

foreach $line (@lines) {
print "<PRE>$line <\PRE>";

}

close(DATA);
print $cgi->end_html;

You're using <\PRE> when should be </PRE>

Why <PRE> line </PRE> instead of
<PRE> line
line
line
</PRE>?

 

[Ron Bergin]

my cgi is very simple, just output the file's content. the file name
is from another cgi's parameter.

If I use firefox visist the page, no issues at all! Everything looks
great. But if I use Internet Explorer, the cgi will make IE to die.
Please help me.

Others have already point out the main issues, but I'll point out a
few that were missed.

#!/tivoli/vendor/perl/bin/perl

Since this is a cgi script that relies on user input, you should be
running in taint mode.

#!/tivoli/vendor/perl/bin/perl -T

use CGI;

During the testing/debugging phase, you should redirect the fatal
errors and warnings to the browser to aide in troubleshooting.

use CGI::Carp qw(fatalsToBrowser warningsToBrowser);

#rchen on 4/10

my $cgi = new CGI;
print $cgi->header(-type=>"text/html", -expires=>'now');
print $cgi->start_html("Details of the configurations");

warningsToBrowser(1); # warnings show up as html comments

my $logfile = $cgi->param('logfile');
open(DATA, "$logfile")|| die("File is not exist!\n");

1) That is very insecure because it allows the user to access files
that they shouldn't.

2) Unless there is a possibility of having spaces in the filename,
there is no need (and most will say you shouldn't) use the quotes
around the var.

3) DATA is one of Perl's reserved filehandles used to read in data
after the __DATA__ or __END__ token. It should not be used as the
filehandle for accessing the log file.

4) It's preferable to use the 3 arg form of the open call.

5) Especially during debugging, the die statement should include the
error message returned by the OS.

my %logs (log1 => 'path/to/log1',
log2 => 'path/to/log2',
log3 => 'path/to/log3',
);

my $logfile = $cgi->param('logfile');
open( my $logfile, '<', $logs{$logfile} )

 

[Ron Bergin]

my $logfile = $cgi->param('logfile');
open( my $logfile, '<', $logs{$logfile} )
|| die "Unable to open $logfile: <$!>\n";

Oops, a little correction:

my $logfile = $cgi->param('logfile');
open( my $log, '<', $logs{$logfile} )
|| die "Unable to open $logfile: <$!>\n";

 

[Ben Morrow]

2) Unless there is a possibility of having spaces in the filename,
there is no need (and most will say you shouldn't) use the quotes
around the var.

Perl is not shell. There is no need to quote variables, ever, unless you
*really* care about stringification for some reason.

Ben

 

[Eric Schwartz]

## open(DATA, "$logfile")|| die("File is not exist!\n");
###############
open(DATA, "$logfile") or die("File not exist or not permission to
read!\n");

Why not just let Perl tell you what went wrong? Also, don't need to
quote "$logfile", and you can use lexical filehandles instead of
needing globals like DATA:

open my $data, '<', $logfile or die "Can't open data file: $!";

-=Eric

 

[Dr.Ruud]

Ben Morrow schreef:

Ron Bergin:

Perl is not shell. There is no need to quote variables, ever, unless
you *really* care about stringification for some reason.

Yes, sometimes you can make use of stringification. See for example the
rename method in IO::All,
http://search.cpan.org/src/INGY/IO-All-0.38/lib/IO/All/Filesys.pm