bad header 
Author Message
 bad header

I have a perl program which accepts input from an html form where a user
can enter comments in a text area.(using Apache,Linux)
When the form is submitted, the perl program stores the user input in a
variable($parameter) and then executes a shell command passing the
variable to a perl program on another machine(HP-UNIX) where the data
gets written out to a file.

$runcommand = "rsh machine /usr/bin/nsperl
/u/data/CONSAC/SRC.PERL/runuvprog.pl $parameter";
system ($runcommand);

When the shell command returns the perl program reads in an html
page(stating that the form has been received) from a file and prints it
out to the browser.

sub print_page{
 print "Content-type: text/html\n\n";
 open(INFILE, "<$infile");
  while(<INFILE>){
    print;
    }
 close(INFILE);

Quote:
}

This works fine when only one line of text has been input in the text
area. When I submit the form after having entered more than one line of
comments in the text area(and the text has wrapped) then I get an error
message:

The server encountered an internal error or misconfiguration and was
unable to complete your request.

The server error log says:
[Wed Sep  5 09:27:10 2001] [error] [client 131.2.4.203] malformed header
from script. Bad header=Attempted READ of record ID la:
/home/httpd/cgi-bin/peer.pl

Although I get an error message, the data($parameter) always gets passed
via the rsh command and written out to file correctly.

I'm trying to find out how the wrapping of the text in the text area
would cause the perl program to generate the error message. I've tried
stripping out carraige returns and line feeds which didn't seem to help
any.
Thanks for any suggestions.



Sun, 22 Feb 2004 22:35:10 GMT  
 bad header
Matt Carey schrieb:

Quote:
> I have a perl program which accepts input from an html form where a user
> can enter comments in a text area.(using Apache,Linux)
> When the form is submitted, the perl program stores the user input in a
> variable($parameter) and then executes a shell command passing the
> variable to a perl program on another machine(HP-UNIX) where the data
> gets written out to a file.

First bad idea: Don't pass variables written by nay user to your perl
program without qouting "dangerous commands"!!

Quote:

> $runcommand = "rsh machine /usr/bin/nsperl
> /u/data/CONSAC/SRC.PERL/runuvprog.pl $parameter";
> system ($runcommand);

Second mistake: Do not run rsh!!! AND DO NOT run it on a webserver
executing commands that a user can specify!!!
Also quote and check the inputs before running a system() call.

Quote:

> When the shell command returns the perl program reads in an html
> page(stating that the form has been received) from a file and prints it
> out to the browser.

> sub print_page{
>  print "Content-type: text/html\n\n";
>  open(INFILE, "<$infile");
>   while(<INFILE>){
>     print;
>     }
>  close(INFILE);
> }

> This works fine when only one line of text has been input in the text
> area. When I submit the form after having entered more than one line of
> comments in the text area(and the text has wrapped) then I get an error
> message:

> The server encountered an internal error or misconfiguration and was
> unable to complete your request.

> The server error log says:
> [Wed Sep  5 09:27:10 2001] [error] [client 131.2.4.203] malformed header
> from script. Bad header=Attempted READ of record ID la:
> /home/httpd/cgi-bin/peer.pl

> Although I get an error message, the data($parameter) always gets passed
> via the rsh command and written out to file correctly.

> I'm trying to find out how the wrapping of the text in the text area
> would cause the perl program to generate the error message. I've tried
> stripping out carraige returns and line feeds which didn't seem to help
> any.
> Thanks for any suggestions.

Afterall: Just use a perl script! It should look like this:

#!/usr/bin/perl

use CGI;

my $cgi = new CGI;

$textbox  = $cgi->param($name_of_the_textarea);

print $cgi->header;
print $cgi->start_html;
print "You have typed the following:<br>";
print $textbox;
$cgi->end_html;

Greets

Bastian Ballmann

--
Djz rule the world! ...and some other staff ;-p Find out at http://www.crazydj.de



Sun, 22 Feb 2004 23:41:05 GMT  
 bad header


Quote:
>I have a perl program which accepts input from an html form where a user
>can enter comments in a text area.(using Apache,Linux)
>When the form is submitted, the perl program stores the user input in a
>variable($parameter) and then executes a shell command passing the
>variable to a perl program on another machine(HP-UNIX) where the data
>gets written out to a file.

>$runcommand = "rsh machine /usr/bin/nsperl
>/u/data/CONSAC/SRC.PERL/runuvprog.pl $parameter";
>system ($runcommand);

bad bad bad BAD
consider what happens if the input contains: |rm -Rf /*

if you want to to use rsh, at least transform $parameter into some
harmless form, for example, you could urlencode it or something
make sure that at least all characters other than a-zA-Z are encoded
this will solve your error, because then no linefeeds will be emitted into
your system() commandline
the program on the other end, must decode the argument, of course.

but why use rsh?
why not let your cgi generate the file, and then just copy it over.
or you could just put it into a queue directory, and let some other
process copy the files over. this way, the cgi will not have to wait
for the other server.

Quote:

>When the shell command returns the perl program reads in an html
>page(stating that the form has been received) from a file and prints it
>out to the browser.

>sub print_page{
> print "Content-type: text/html\n\n";
> open(INFILE, "<$infile");
>  while(<INFILE>){
>    print;
>    }
> close(INFILE);
>}

>This works fine when only one line of text has been input in the text
>area. When I submit the form after having entered more than one line of
>comments in the text area(and the text has wrapped) then I get an error
>message:

this happens because you have not yet printed the Content-type: line
when you do the system(). if that results in some output, that will
be sent to the webserver before the Content-type:

to be safe, you should
  a) $|=1;
  b) print the  Content-type: line
  c) call the system
in this order

gnari



Mon, 23 Feb 2004 19:26:13 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. Bad header=HTTP/1.1 200 OK

2. Bad header=HTTP/1.1 200>

3. LWP doesn't display page - bad header

4. more bad header

5. bad header

6. Bad header request

7. Bad Request Header

8. Bad request header

9. HTTP::Headers - getting request headers

10. HTTP::Header: adding a header

11. The worst code you ever had to fix...?

12. possible DoS by exploiting worst-case hashing

 

 
Powered by phpBB® Forum Software