Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: Re: Uploading a file

by jepri (Parson)
on Oct 16, 2003 at 02:06 UTC ( [id://299618]=note: print w/replies, xml ) Need Help??


in reply to Re: Uploading a file
in thread Uploading a file

There are a few issues here. The biggest is that you are accepting someone elses name for the file you will be storing. If they give you a deliberately wrong filename they could overwrite important files on your system. Never allow a user to write to any old filename! Have your script pick the filename to save to, then save the users filename (description) in another file, or a database or something.

You also have the potential to have your images cut off halfway through if the maximum POST size is set too small in your webserver.

Also your script doesn't appear to have any sort of log in feature, so a naughty user could just upload thousands of files and fill up your server, and you wouldn't be able to stop them.

____________________
Jeremy
I didn't believe in evil until I dated it.

Replies are listed 'Best First'.
Re: Re: Re: Uploading a file
by iburrell (Chaplain) on Oct 16, 2003 at 21:18 UTC
    It is acceptable to use the uploaded file name if the input is validated sufficiently. First is removing characters that could cause problems for the shell. This will prevent attacks against the shell and also help with giving file names that don't encoding or special processing. Also good is using the three argument form of open. 
    my $path = File::Spec->catfile($dir, $file);
open(OUT, '>', $path) or die;

    [download]

    Another check is to remove any directory components. This prevents writing to files elsewhere on the filesystem. It guarantees that the files go in the right directory.

    It is a good idea to separate uploaded files into their own directory. If there is some authentication to control who can upload, then overriding an existing file isn't a security hole.

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://299618]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (5)
As of 2024-04-19 18:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found