You're missing the obvious error.
A popup menu is created to specify a memo
value, but there is nothing enforcing the user to only specify one of the prepopulated values. They could specify anything.
There isn't even any enforcement of a POST request method, so editing the form parameters in the URL would be sufficient for specifying a value:
http://www.yourdomain.com/form.cgi?memo=/etc/naughty/boy
Validation
To avoid the attack, one must validate that the data is within our expected range of values by either:
- Reusing the values used to populate the popup_menu and comparing.
- Use a regular expression to match expected format.
The least likely to introduce a new bug would be to reuse the original values. This is because it's very easy to not make a regex restrictive enough. For example, allowing the updir ..
to be included in the path somewhere.
Additionally, the open
call should use the 3 parameter form along with a lexical filehandle while we're at it. We do not want to allow the user to specify the mode of opening the file.
open my $fh, '<', $memo or die "Can't open $memo: $!";