Re: PERL's -e check

[Adam Prato <sirsyko () MERGIOO ISHIBOO COM>]

On Sun, Dec 24, 2000 at 07:11:40PM -0500, Joe Testa wrote:
> Hi all --
>
>       I've noticed here and there that some PERL scripts pass user input
> directly into an open() call protected by a "-e" check.  Example:
>
>       # $temp_file is taken from the submitted form
>       if(-e $temp_file) {
>               open(TEMP, "<$temp_file");
>               ...
>       }
>
>       Is there any trick that would bypass the "-e"?  Thanks in advance.
>
>       - Joe Testa
>
>
> P.S.  Greets to @stake and the cDc.

all this does is open a filehandle (TEMP) based on the filename stored in
$temp_file if it exists (checked by the -e test operator)...

The standard ways to "defeat" this is symlink the file stored in $tempfile to
a different file on the system.  Thus if the script runs with elevate
privileges, you could access data accessible by the elevated privileges.

Beyond this, I'm at a loss for what you are trying to accomplish. What do you
mean that "PERL scripts pass user input direclty into an open call 'protected
by a -e check'? This doesnt make much sense.

Are you saying that some perl scripts (assuming you mean a cgi) takes user
input and writes the user input to a filehandle? The "-e" does nothing to
'protect' this. And the only trick to "bypass" the -e test operator is to
first create the file its looking for somehow (since -e checks to see if a file
exists).

<ss>