0
我有一个CGI脚本上传是如下CGI上传脚本在Perl
#!/usr/bin/perl
use CGI;
use CGI::Carp qw(fatalsToBrowser);
my $cgi = new CGI;
my $file = $cgi->param('file');
$file=~m/^.*(\\|\/)(.*)/; # strip the remote path and keep the filename
my $name = $2;
open(LOCAL, ">/home/Desktop/$name") or die $!;
while(<$file>) {
$data .= $_;
}
print $cgi->header();
print "$file has been successfully uploaded... thank you.\n";
print $data;
的HTML文件如下
<html>
<head>
<title>Test</title>
</head>
<body>
<form enctype="multipart/form-data" action="upload.cgi" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
</body>
</html>
我现在得到一个奇怪的错误..
Software error:
Is a directory at htdocs/upload.cgi line 9.
For help, please send mail to this site's webmaster, giving this error message and the time and date of the error.
是否可以使用'chroot'来防止恶意操作超出所需的目录? –
@jingyu这将是朝着正确的方向迈进的一步,尽管你仍然通过这个上传位置(“/ home/Desktop”)进入一些危险的可能性 - 写入用户空间。有人可能会覆盖目录中的文件,创建一个文件,*看起来*就像你的硬盘是恶意软件,等等...... – 2013-10-18 15:29:22
感谢您的帮助 –