ch07_03.htm

By Tom Christiansen and Nathan Torkington ISBN 1-56592-243-3 First Edition, published August 1998

<HTML
><HEAD
>
<TITLE>Recipe 7.2. Opening Files with Unusual Filenames (Perl Cookbook)</TITLE>
<META
NAME="DC.title"
CONTENT="Perl Cookbook"><META
NAME="DC.creator"
CONTENT="Tom Christiansen &amp; Nathan Torkington"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1999-07-02T01:36:03Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-243-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch07_01.htm"
TITLE="7. File Access"><LINK
REL="prev"
HREF="ch07_02.htm"
TITLE="7.1. Opening a File"><LINK
REL="next"
HREF="ch07_04.htm"
TITLE="7.3. Expanding Tildes in Filenames"></HEAD
><BODY
BGCOLOR="#FFFFFF"><img alt="Book Home" border="0" src="gifs/smbanner.gif" usemap="#banner-map" /><map name="banner-map"><area shape="rect" coords="1,-2,616,66" href="index.htm" alt="Perl Cookbook"><area shape="rect" coords="629,-11,726,25" href="jobjects/fsearch.htm" alt="Search this book" /></map><div class="navbar"><p>
<TABLE
WIDTH="684"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch07_02.htm"
TITLE="7.1. Opening a File"
><IMG
SRC="../gifs/txtpreva.gif"
ALT="Previous: 7.1. Opening a File"
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="228"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
><A
CLASS="chapter"
REL="up"
HREF="ch07_01.htm"
TITLE="7. File Access"
></A
></FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch07_04.htm"
TITLE="7.3. Expanding Tildes in Filenames"
><IMG
SRC="../gifs/txtnexta.gif"
ALT="Next: 7.3. Expanding Tildes in Filenames"
BORDER="0"></A
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="sect1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="ch07-17895"
>7.2. Opening Files with Unusual Filenames</A
></H2
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch07-pgfId-382"
>Problem<A
CLASS="indexterm"
NAME="ch07-idx-1000009593-0"
></A
></A
></H3
><P
CLASS="para"
>You want to open a file with a funny filename, like <CODE
CLASS="literal"
>&quot;-&quot;</CODE
> or one that starts with &lt;, &gt;, or <CODE
CLASS="literal"
>|</CODE
>, has leading or trailing whitespace; or ends with <CODE
CLASS="literal"
>|</CODE
>. You don't want these to trigger <CODE
CLASS="literal"
>open</CODE
>'s do-what-I-mean behavior, since in this case, that's <EM
CLASS="emphasis"
>not</EM
> what you mean.</P
></DIV
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch07-pgfId-388"
>Solution</A
></H3
><P
CLASS="para"
>Use <CODE
CLASS="literal"
>open</CODE
> like this: <A
CLASS="indexterm"
NAME="ch07-idx-1000009592-0"
></A
><A
CLASS="indexterm"
NAME="ch07-idx-1000009592-1"
></A
></P
><PRE
CLASS="programlisting"
>$filename =~ s#^(\s)#./$1#;
open(HANDLE, &quot;&lt; $filename\0&quot;)          or die &quot;cannot open $filename : $!\n&quot;;</PRE
><P
CLASS="para"
>Or simply use <CODE
CLASS="literal"
>sysopen</CODE
>:</P
><PRE
CLASS="programlisting"
>sysopen(HANDLE, $filename, O_RDONLY)   or die &quot;cannot open $filename: $!\n&quot;;</PRE
></DIV
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch07-pgfId-402"
>Discussion</A
></H3
><P
CLASS="para"
>The <CODE
CLASS="literal"
>open</CODE
> function uses a single string to determine both the filename and the mode &nbsp;-  the way the file is to be opened. If your filename begins with the characters used to indicate the mode, <CODE
CLASS="literal"
>open</CODE
> can easily do something unexpected. Imagine the following code:</P
><PRE
CLASS="programlisting"
>$filename = shift @ARGV;
open(INPUT, $filename)               or die &quot;Couldn't open $filename : $!\n&quot;;</PRE
><P
CLASS="para"
>If the user gave <CODE
CLASS="literal"
>&quot;&gt;/etc/passwd&quot;</CODE
> as the filename on the command line, this code would attempt to open <EM
CLASS="emphasis"
>/etc/passwd</EM
> for writing &nbsp;-  definitely unsafe! We can try to give an explicit mode, say for writing:</P
><PRE
CLASS="programlisting"
>open(OUTPUT, &quot;&gt;$filename&quot;)
    or die &quot;Couldn't open $filename for writing: $!\n&quot;;</PRE
><P
CLASS="para"
>but even this would let the user give a filename of <CODE
CLASS="literal"
>&quot;</CODE
>&gt;<CODE
CLASS="literal"
>data&quot;</CODE
> and the code would append to the file <CODE
CLASS="literal"
>data</CODE
> instead of erasing the old contents.</P
><P
CLASS="para"
>The easiest solution is <CODE
CLASS="literal"
>sysopen</CODE
>, which takes the mode and filename as separate arguments:</P
><PRE
CLASS="programlisting"
>use Fcntl;                          # for file constants

sysopen(OUTPUT, $filename, O_WRONLY|O_TRUNC)
    or die &quot;Can't open $filename for writing: $!\n&quot;;</PRE
><P
CLASS="para"
>To get the same effect with <CODE
CLASS="literal"
>open</CODE
> requires chicanery if the filename has leading or trailing whitespace:</P
><PRE
CLASS="programlisting"
>$file =~ s#^(\s)#./$1#;
open(OUTPUT, &quot;&gt; $file\0&quot;)
        or die &quot;Couldn't open $file for OUTPUT : $!\n&quot;;</PRE
><P
CLASS="para"
>The substitution protects initial whitespace (this cannot occur in fully specified filenames like <CODE
CLASS="literal"
>&quot;/etc/passwd&quot;</CODE
>, but only in relative filenames like <CODE
CLASS="literal"
>&quot;</CODE
> <CODE
CLASS="literal"
>passwd&quot;</CODE
>). The NULL byte (<CODE
CLASS="literal"
>&quot;\0&quot;</CODE
>) isn't considered part of the filename by <CODE
CLASS="literal"
>open,</CODE
> but it does prevent any trailing whitespace from being ignored.</P
><P
CLASS="para"
>The magic way <CODE
CLASS="literal"
>open</CODE
> interprets filenames is nearly always a good thing. You never have to use the special case of <CODE
CLASS="literal"
>&quot;-&quot;</CODE
> to mean standard input or output. If you write a filter and use a simple <CODE
CLASS="literal"
>open</CODE
>, users can pass <CODE
CLASS="literal"
>&quot;gzip</CODE
> <CODE
CLASS="literal"
>-dc</CODE
> <CODE
CLASS="literal"
>bible.gz|&quot;</CODE
> as a filename, and your filter will automatically run the decoding program.</P
><P
CLASS="para"
>It's only those programs that run under special privilege that should worry about security with <CODE
CLASS="literal"
>open</CODE
>. When designing programs that will be run on someone else's behalf, like setuid programs or CGI scripts, the prudent programmer always considers whether the user can supply their own filename and thereby cajole what would otherwise appear to be a normal <CODE
CLASS="literal"
>open</CODE
> used for simple reading into overwriting a file or even running another program. Perl's <B
CLASS="emphasis.bold"
>-T</B
> command-line flag to enable taint-checking would take care of this.<A
CLASS="indexterm"
NAME="ch07-idx-1000009588-0"
></A
><A
CLASS="indexterm"
NAME="ch07-idx-1000009588-1"
></A
><A
CLASS="indexterm"
NAME="ch07-idx-1000009588-2"
></A
><A
CLASS="indexterm"
NAME="ch07-idx-1000009588-3"
></A
><A
CLASS="indexterm"
NAME="ch07-idx-1000009588-4"
></A
><A
CLASS="indexterm"
NAME="ch07-idx-1000009588-5"
></A
><A
CLASS="indexterm"
NAME="ch07-idx-1000009588-6"
></A
></P
></DIV
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch07-pgfId-444"
>See Also</A
></H3
><P
CLASS="para"
>The <CODE
CLASS="literal"
>open</CODE
> and <CODE
CLASS="literal"
>sysopen</CODE
> functions in <I
CLASS="filename"
>perlfunc </I
>(1) and <A
CLASS="olink"
HREF="../prog/ch03_01.htm"
>Chapter 3</A
> of <A
CLASS="citetitle"
HREF="../prog/index.htm"
TITLE="Programming Perl"
><CITE
CLASS="citetitle"
>Programming Perl</CITE
></A
>; <A
CLASS="xref"
HREF="ch07_02.htm"
TITLE="Opening a File"
>Recipe 7.1</A
>; <A
CLASS="xref"
HREF="ch07_08.htm"
TITLE="Writing a Filter"
>Recipe 7.7</A
>; <A
CLASS="xref"
HREF="ch16_03.htm"
TITLE="Running Another Program"
>Recipe 16.2</A
>; <A
CLASS="xref"
HREF="ch19_05.htm"
TITLE="Writing a Safe CGI Program"
>Recipe 19.4</A
>; <A
CLASS="xref"
HREF="ch19_07.htm"
TITLE="Executing Commands Without Shell Escapes"
>Recipe 19.6</A
></P
></DIV
></DIV
><DIV
CLASS="htmlnav"
><P
></P
><HR
ALIGN="LEFT"
WIDTH="684"
TITLE="footer"><TABLE
WIDTH="684"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch07_02.htm"
TITLE="7.1. Opening a File"
><IMG
SRC="../gifs/txtpreva.gif"
ALT="Previous: 7.1. Opening a File"
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="book"
HREF="index.htm"
TITLE="Perl Cookbook"
><IMG
SRC="../gifs/txthome.gif"
ALT="Perl Cookbook"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch07_04.htm"
TITLE="7.3. Expanding Tildes in Filenames"
><IMG
SRC="../gifs/txtnexta.gif"
ALT="Next: 7.3. Expanding Tildes in Filenames"
BORDER="0"></A
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="228"
>7.1. Opening a File</TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="index"
HREF="index/index.htm"
TITLE="Book Index"
><IMG
SRC="../gifs/index.gif"
ALT="Book Index"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="228"
>7.3. Expanding Tildes in Filenames</TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="684"
TITLE="footer"><FONT
SIZE="-1"
></DIV<!-- LIBRARY NAV BAR --> <img src="../gifs/smnavbar.gif" usemap="#library-map" border="0" alt="Library Navigation Links"><p> <a href="copyrght.htm">Copyright &copy; 2002</a> O'Reilly &amp; Associates. All rights reserved.</font> </p> <map name="library-map"> <area shape="rect" coords="1,0,85,94" href="../index.htm"><area shape="rect" coords="86,1,178,103" href="../lwp/index.htm"><area shape="rect" coords="180,0,265,103" href="../lperl/index.htm"><area shape="rect" coords="267,0,353,105" href="../perlnut/index.htm"><area shape="rect" coords="354,1,446,115" href="../prog/index.htm"><area shape="rect" coords="448,0,526,132" href="../tk/index.htm"><area shape="rect" coords="528,1,615,119" href="../cookbook/index.htm"><area shape="rect" coords="617,0,690,135" href="../pxml/index.htm"></map> </BODY
></HTML
>