unlink($ful) does not delete 1

[daithimcc]

I have been trying to delete a file using a script and it is refusing to go. (I have very little experience of Perl). One script creates the temporary file (empty) and later another is to delete it.
The url passes a parameter to the script:
e.g. dfile.pl?f=abcde

The filename f obviously varies.

In the script:

$thef=param('f');
$ful="../../alpha/tempf/".$thef;
unlink($ful);

refuses to delete the file (e.g. abcde). When I manually enter:
unlink("../../alpha/tempf/abcde"); it goes. (It has nothing to do with file permissions).

Also I can test if the file exists, using the variable, -e $fnmi and I get true.

I would be very grateful if someone could suggest what the problem is here!

 

[svar]

What is param?
Can you check for the value of $thef? Is it 'abcde' -any other characters?
Try this:
1) create a file called 'abcde'


2) Use this code:
my $file='abcde';
my $unl= "rm $file"; #for unix, use "del $file" for windows
unless(-e $file) {print "$file does not exist\n";}

my $rc = 0xffff & system("$unl ");
if($rc){print "$unl failed with rc=$rc and $!\n";}

This will hopefully tell you why the unlink fails.
Then you can see what the problem is and after you solve it, put back the unlink

 

[daithimcc]

Unfortunately I have got no further. I am working on a Macintosh computer, but uploading the scripts to my website and running them via my browser address bar.
So to run tester.pl in safari (browser) I type

http://www.mydomain.com/.../tester.pl

This is what I have used (based on what you said):

#!/usr/bin/perl -wT

use CGI ':standard';
use CGI::Carp qw(fatalsToBrowser); 


use strict;
use warnings;

my $file='abcde';
my $unl= "rm $file"; #for unix, use "del $file" for windows
print "Content-type: text/html\n\n"; 

unless(-e $file) {print "$file does not exist\n";}

my $rc = 0xffff & system("$unl ");

if($rc){print "$unl failed with rc=$rc  and $!\n";}

I get no output at all and the file abcde remains. (I tried both your unix and windows versions). I have abcde in the same directory as the perl script. When I change the unless to if, it does print that abcde does not exist.
(I know it's probably something simple that I just don't know).

The param I spoke about - I believed that was the way you pick up a parameter which has been passed to a script e.g. ...../delfile.pl?f=abcde

and then in the script have something like $fil=param('f'); to 'pick it up'?
(I really know nothing about perl as you can see).

Thanks for any help!
David

 

[KevinADC]

try this and see what the die command prints:

unlink($ful) or die "Can't delete $ful : $!";

------------------------------------------
- Kevin, perl coder unexceptional!

 

[daithimcc]

It was desperation and frustration - but the strategy worked! (5 forums)
The error given is "Insecure dependency in unlink while running with -T switch at dfl.pl line 42", which I solved by removing the -T switch! I didn't realise these error messages were generated on the server log and not in the browser window. Someone called 'dah' on perlmonks pointed me there. Thank you very much for your help. I can now get on with my life!

 

[KevinADC]

You should untaint the input and continue to use the T switch, which is there to protect you from this sort of insecure action.

------------------------------------------
- Kevin, perl coder unexceptional!

 

[PaulTEG]

Thanks for yor admission of 5 fora, glad this worked out, you know who to trust in future ...

BTW it really pisses people off if the same question is asked in different fora, just thought you'd like to know ;-)

Paul
------------------------------------
Spend an hour a week on CPAN, helps cure all known programming ailments ;-)

 

[MillerH]

Agreed Paul, but it's fairly common unfortunately.

daithimcc,

I second Kevin's comment that you keep in the use of taint protection. In this case, it's trying to protect against someone having full delete permissions across your file system. Basically you should be ensuring that noone includes the updir as a filename.

- Miller

 

[daithimcc]

At the risk of repeating what I have already posted in another forum(!!): I actually always intended to validate the input (and have since). The input has to be of a certain length and contain only certain (alphanumeric) characters. Also the input is not really the file name - it is then mashed up severely in the script to produce the filename, so there should not be any danger from anyone putting in another filename or path. I didn't know that this is what Taint Mode wants. (I didn't know what Taint mode was)!
Thanks again for all the help.

 

[MillerH]

Glad to hear you got it working.

Yes, taint mode has got to be one of the worst naming choices in perl. My gut reaction to the name is that it would make the code "dirtier", rather than safer.

For good discussions on taint protection, pick up the following O'Reilly books.
[ul]
[li]CGI Programming with Perl - Chapter 8, Security[/li]
[li]Perl Best Practices[/li]
[/ul]

- Miller