Question about Javascript and Perl form

[Scott Medaugh]

From: "Scott Medaugh" <[email protected]>
Subject: Question about Javascript and Perl form
Date: Monday, November 01, 2004 12:15 PM

Hello,

I am trying to do something unusual and it has me stumped. I am looking to
change the Env variable for RemoteUser essentially. What I would like to
happen is that the user would choose a name from the dropdown box populated
by the list in test.txt. Once the user chooses that name, the home
directory is then pointed to the chosen name and the user is able to see the
files listed in the new directory. I have included the snippet that I have
been trying to accomplish this with and would gladly appreciate some
feedback on how to make this happen.




#my $user_file = "/Volumes/data01/cgi-bin/rem_user.txt";
my $user_file = "test.txt";

# The code sections generate the pulldown boxes in the slug form.
#
# Freeform fields are populated from cookies with inline perl.
#

print $query->header ( );

print <<END_HTML;

<HTML>
<head>

<script language="JavaScript">

function changeUser(user){
remoteuser = $user;
homedir = "/Volumes/data01/Users/$remoteuser";
alert("$homedir");

}



</script>

<link rel="stylesheet" href="/catch.css" type="text/css" />
</head>
<body>
<div id="Header">
<div id="MainText">

<form action="/cgi-bin/slugreg"
enctype="multipart/form-data" name="dataBuild" onSubmit="return
verify(this.form)" method="post">

<h3> SLUG ENTRY FORM</h3>

<table>
<tr><td>
<span CLASS="intable">
Select User Name:
</td><td>


END_HTML

############################################################################
###########################
###Start Media Manager special###

open (REMUSER, "$user_file") || Error('open','file');
#read (REMUSER);
my @users = <REMUSER>;

close (REMUSER);

print "<select name='uname'>\n";
foreach (@users){
print "<option value='$_'>$_'";
}

print "</select>\n";

sub Error {
print "Content type: text/html\n\n";
print "The server cannot $_[0] the $_[1]: $! \n";
exit;
}
############################################################################
##########################

print <<END_HTML;
</td><td>
<input type="button" name="test" value="Change User!"
onClick="changeUser(document.dataBuild.uname.options[document.dataBuild.unam
e.selectedIndex].value)">
</td></tr>

<tr><td>
<span CLASS="intable">
Select File You've Uploaded:
</td><td>
<select name="photo">

END_HTML

# -------------------------------- code /
html ---------------------------------

# This code generates a list of files in their home directory for the file
pulldown box

opendir(DIRHANDLE, "$homedir");
while ($name = readdir(DIRHANDLE)) {
open(FILEHANDLE, "$homedir/$name");
if ((-f FILEHANDLE) and ($name ne ".htaccess") and ($name ne ".DS_Store"))
{

print "<option value='$name'>$name\n";
#end if
}
#end while
}

 

[A. Sinan Unur]

From: "Scott Medaugh" <[email protected]>
Subject: Question about Javascript and Perl form
Date: Monday, November 01, 2004 12:15 PM

No need to repeat this information in the body of your post.

I am trying to do something unusual and it has me stumped. I am
looking to change the Env variable for RemoteUser essentially.

Your question is related to CGI and web server configuration and not to
Perl specifically. You should post in the appropriate groups.

Incidentally, I am not sure what you mean by RemoteUser. There is an
environment variable REMOTE_USER set by the web server upon successful
basic authentication. See:

http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html#6.1.12

would like to happen is that the user would choose a name from the
dropdown box populated by the list in test.txt. Once the user chooses
that name, the home directory is then pointed to the chosen name and
the user is able to see the files listed in the new directory.

You'll need to partition/explain your problem better.

use strict;
use warnings;

#my $user_file = "/Volumes/data01/cgi-bin/rem_user.txt";
my $user_file = "test.txt";

....

In the code below, I do not see any effort to untaint the incoming
variable.

perldoc perlsec

open (REMUSER, "$user_file") || Error('open','file');

perldoc -q always quote

Found in C:\Perl\lib\pod\perlfaq4.pod
What's wrong with always quoting "$vars"?

sub Error {
print "Content type: text/html\n\n";
print "The server cannot $_[0] the $_[1]: $! \n";
exit;
}

This is really, really not necessary or even useful:

1. You have already sent a header above.

2. die together with CGI::Carp does this right

#######################################################################
##### ##########################

print <<END_HTML;
</td><td>
<input type="button" name="test" value="Change User!"
onClick="changeUser(document.dataBuild.uname.options[document.dataBuild
.unam e.selectedIndex].value)">
</td></tr>

This whole mixing HTML, Javascript and Perl together thing is making it
very hard (at least for me) to follow what you are trying to accomplish. I
am going to suggest HTML::Template.

# This code generates a list of files in their home directory for the
file pulldown box

opendir(DIRHANDLE, "$homedir");
while ($name = readdir(DIRHANDLE)) {
open(FILEHANDLE, "$homedir/$name");
if ((-f FILEHANDLE) and ($name ne ".htaccess") and ($name ne
".DS_Store"))

Again, you are trying to deal with something that should be a web server
configuration issue. Also, since you have not untainted the $name variable,
this will pretty much echo any file on your server.

Sinan.