$OPTIMIZE ON $TYPECHECK ON $INCLUDE "rapidq.inc" $INCLUDE "qcgi.inc" $APPTYPE CGI $ESCAPECHARS ON DIM name$ AS STRING, file AS QFILESTREAM CREATE CGI AS QCGI InitCgi(cgiInputDefault, cgiConvertAuto) END CREATE 'Next line is simply 'name$ = REPLACESUBSTR$(GetCgiValue("name"), "%5c", "") 'Get value and remove slashes 'name$ = REPLACESUBSTR$(name$, "%5C", "") 'Remove other slashes 'name$ = REPLACESUBSTR$(name$, "\\", "") 'Remove real slashes 'name$ = REPLACESUBSTR$(name$, "..", "") 'Remove .. 'name$ = REPLACESUBSTR$(name$, "%2F", "") 'Remove forward slashes (in hex) 'name$ = REPLACESUBSTR$(name$, "%2f", "") 'Don't forget lowercase... 'name$ = REPLACESUBSTR$(name$, "/", "") 'Remove forward slashes 'all rolled into one line. This prevents a malicious user from getting to files outside the directory the program is in... name$ = REPLACESUBSTR$(REPLACESUBSTR$(REPLACESUBSTR$(REPLACESUBSTR$(REPLACESUBSTR$(REPLACESUBSTR$(REPLACESUBSTR$(CGI.GetValue("name"), "%5c", ""), "%5C", ""), "\\", ""), "..", ""), "%2F", ""), "%2f", ""), "/", "") IF name$ = "" THEN PRINT "Content-type: text/html\n\n" PRINT "" PRINT "" PRINT "CGI Test - Enter a filename" PRINT "" PRINT "" PRINT "

Please enter a filename:" PRINT "

" PRINT "" PRINT "
" PRINT "

" PRINT "" PRINT "" ELSE 'another security procedure it to start eveything from the working directory IF FILEEXISTS(CURDIR$ + "\\" + name$) THEN IF File.Open(CURDIR$ + "\\" + name$, fmOpenRead) THEN PRINT "Content-type: text/plain\n\n" WHILE NOT(File.EOF) PRINT File.ReadLine WEND ELSE PRINT "Content-type: text/html\n\n" PRINT "" PRINT "" PRINT "CGI Test - Error" PRINT "" PRINT "" PRINT "

That file cannot be opened!

" PRINT "" PRINT "" END IF ELSE PRINT "Content-type: text/html\n\n" PRINT "" PRINT "" PRINT "CGI Test - Error" PRINT "" PRINT "" PRINT "

" + name$ + " does not exist!

" PRINT "" PRINT "" END IF END IF