Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: Re: Re: Uploading a file

by iburrell (Chaplain)
on Oct 16, 2003 at 21:18 UTC ( [id://299885]=note: print w/replies, xml ) Need Help??


in reply to Re: Re: Uploading a file
in thread Uploading a file

It is acceptable to use the uploaded file name if the input is validated sufficiently. First is removing characters that could cause problems for the shell. This will prevent attacks against the shell and also help with giving file names that don't encoding or special processing. Also good is using the three argument form of open.
my $path = File::Spec->catfile($dir, $file); open(OUT, '>', $path) or die;

Another check is to remove any directory components. This prevents writing to files elsewhere on the filesystem. It guarantees that the files go in the right directory.

It is a good idea to separate uploaded files into their own directory. If there is some authentication to control who can upload, then overriding an existing file isn't a security hole.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://299885]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2024-03-28 20:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found