http://qs1969.pair.com?node_id=214478


in reply to Thoughts on file upload...

Not really security related per se, but I think that it's wise to set a maximum file size that you'll accept so that someone doesn't try to fill up your disk.

You can do this easily (if you're using CGI.pm) with something like:

# Limit file sizes to 1 MB use constant MAX_FILE_SIZE => 1_048_576; $CGI::POST_MAX = MAX_FILE_SIZE;

You may also want to set a size limit on the directory that is holding the uploaded files. This could be done with something like:

# 100 MB limit on the size of the upload dir use constant MAX_DIR_SIZE => 100 * 1_048_576; sub dir_size { my $dir = shift; my $dir_size = 0; my $file; # Loop through files and sum the sizes; doesn't descend down subdi +rs. opendir DIR, $dir or die "Unable to open $dir: $!\n"; $dir_size += -s "$dir/$file" while defined( $file = readdir DIR ); closedir DIR; return $dir_size; } die 'Upload directory is full.' if ( dir_size('/path/to/dir') + $ENV{CONTENT_LENGTH} > MAX_DIR_SIZE +);