文件路径名存在问题，可能是字符损坏 [英] Issue with filepath name, possible corrupt characters

问题描述

Perl和html，Linux上的CGI。
文件路径名的问题，在表单字段中传递给服务器上的CGI。
问题出在Linux文件路径，而不是PC端。

Perl and html, CGI on Linux. Issue with file path name, being passed in a form field, to a CGI on server. The issue is with the Linux file path, not the PC side.

我正在使用2个程序，
1）年前编写的程序，在perl程序中生成的动态html，并以表格形式呈现给用户。我通过插入所需的代码进行了修改，以允许用户从其PC中选择要放置在Linux机器上的文件。

I am using 2 programs, 1) program written years ago, dynamic html generated in a perl program, and presented to the user as a form. I modified by inserting the needed code to allow a the user to select a file from their PC, to be placed on the Linux machine.

因为该程序已经知道linux端所需的文件路径，所以我将此文件路径以隐藏的形式传递给程序2。

Because this program already knew the filepath, needed on the linux side, I pass this filepath in a hidden form field, to program 2.

2）Linux端的CGI程序，在发布（1）上的表单时运行。

2) CGI program on Linux side, to run when form on (1) is posted.

奇怪的问题。
我传递的文件路径有一个非常奇怪的问题。
我可以使用

Strange issue. The filepath that I pass, has a very strange issue. I can extract it using

my $filepath = $query->param("serverfpath");

以上内容确实用看起来完全正确的路径填充了$ filepath。

但是它失败了，并且不会以某种方式将我带到文件打开错误块，而是使对CGI脚本的调用产生了错误。

The above does populate $filepath with what looks like exactly the correct path.
But it fails, and not in a way that takes me to the file open error block, but such that the call to the CGI script gives an error.

但是，如果我使用完全相同的字符串填充$ filepath，则通过硬编码可以正常工作，并且我的文件成功上传。

However, if I populate $filepath with EXACTLY the same string, via hard coding it, it works, and my file successfully uploads.

例如：

$fpath1 = $query->param("serverfpath");
$fpath2 = "/opt/webhost/ims/DOCURVC/data" 

比较$ fpath1和$ fpath2的值表明它们完全相等。
$ fpath1和$ fpath2的长度检查显示它们的长度完全相同。

A comparison of $fpath1 and $fpath2 reveals that they are exactly equal. A length check of $fpath1 and $fpath2 reveals that they are exactly the same length.

我尝试了多种清除$ fpath1中数据的方法。
我砍了。
我删除了所有非标准字符。

I have tried many methods of cleaning the data in $fpath1. I chomp it. I remove any non standard characters.

$fpath1  =~ s/[^A-Za-z0-9\-\.\/]//g;

这：

my $safe_filepath_characters = "a-zA-Z0-9_.-/";
$fpath1 =~ s/[^$safe_filepath_characters]//g;

但是无论我做什么，使用$ fpath1都会导致错误，而使用$ fpath2则可以。

But no matter what I do, using $fpath1 causes an error, using $fpath2 works.

$ fpath1中的数据可能有问题，这将导致它成功地与$ fpath2比较，但不相等，在视觉上看起来完全相等，显示为具有

What could be wrong with the data in the $fpath1, that would cause it to successfully compare to $fpath2, yet not be equal, visually look exactly equal, show as having the exact same length, but not work the same?

对于下面的文件打开块。

For the below file open block.

$upload_dir = $fpath1 

导致CGI完全加载失败，就好像它找不到CGI（我知道有时是由于CGI脚本中的语法错误引起的。）

causes complete failure of CGI to load, as if it can not find the CGI (which I know is sometimes caused by syntax error in the CGI script).

$uplaod_dir = $fpath2   

我成功上传了文件

$uplaod_dir = ""        

对cgi的调用确实不会失败，如果期望的话，它将执行下面的else块。

The call to the cgi does not fail, it executes the else block of the below if, as expected.

这是文件打开块：

if (open ( UPLOADFILE, ">$upload_dir/$filename" ))   
{
binmode UPLOADFILE;

while ( <$upload_filehandle> )
{
print UPLOADFILE;
}

close UPLOADFILE;
$msgstr="Done with Upload: upload_dir=$upload_dir filename=$filename";
}
else
{
$msgstr="ERROR opening for upload: upload_dir=$upload_dir filename=$filename";
}

我应该在$ fpath1上执行哪些其他测试，以找出原因？与硬编码的等效$ fpath2

What other tests should I be performing on $fpath1, to find out why it does not work the same as its hard-coded equivalent $fpath2

的工作方式不同我确实尝试过从$ fpath2到$ fpath1一次字符替换。
即使使用单个字符执行此操作，也会导致$ fpath1与$ fpath2出现相同的错误，尽管该字符看起来完全相同。

I did try character replacement, a single character at a time, from $fpath2 to $fpath1. Even doing this with a single character, caused $fpath1 to have the same error as $fpath2, although the character looked exactly the same.

推荐答案

您的CGI可能是在 -T （污点模式）开关（例如，＃！/ usr / bin / perl -T ）？如果是这样，则不允许将来自不受信任来源（例如用户输入，URI和表单字段）的任何值用于系统操作，例如 open ，直到使用正则表达式捕获将其取消污染为止。请注意，使用 s / // 对其进行原位修改将不会不会取消该值。

Is your CGI perhaps running perl with the -T (taint mode) switch (e.g., #!/usr/bin/perl -T)? If so, any value coming from untrusted sources (such as user input, URIs, and form fields) is not allowed to be used in system operations, such as open, until it has been untainted by using a regex capture. Note that using s/// to modify it in-place will not untaint the value.

$fpath1  =~ /^([A-Za-z0-9\-\.\/]*)$/;
$fpath1 = $1;
die "Illegal character in fpath1" unless defined $fpath1;

如果污染模式是您的问题，应该可以工作。

should work if taint mode is your issue.

这篇关于文件路径名存在问题，可能是字符损坏的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！