Upload problem

Willman023 has asked for the wisdom of the Perl Monks concerning the following question:

Ok I have a script to upload a file and I'm trying to name it by using the inputs from the form as the file name, but for some reason it just gives me a completely blank screen. The html file is at www.tdecsucks.com/upload.html and the cgi part is below. I've tryed all the obvious things, I've even tryed renaming the file after its saved as a temp file. I know the problem lies when I use a scalar as the filename, and yet I've seen it like this in two books. If anyone has had this problem or knows how I can go around this, I'd be in debt to you for life!

#!/usr/bin/perl -wT
use strict;
use CGI qw(:standard);

print "Content-Type: text/html\n\n";

my $file = param ('uploadfile');
my $info = uploadInfo ($file);
my $type = $info -> {'Content-Type'};
my $name = param ('name');
my $course = param ('course');
my $lastname = param ('lastname');
my $term = param ('term');
my $description = param ('description');
my $filename = "$name$course$lastname$term$description";

if ($file) {
    open (UPLOAD, ">/var/www/uploads/$filename") || Error ();

    my ($data, $length, $chunk);
    while ($chunk = read ($file, $data, 1024)) {
        print UPLOAD $data;
        $length += $chunk;
        if ($length > 5120000) {
            print "That file is too big. The limit is 5 Megs.";
            exit;
            }
        }
    close (UPLOAD);
    
    print "<p>You uploaded <b>$file</b> which had a MIME type of <b>$t
+ype</b>.";
    print "<p>Your filename is <b>$filename</b>.";

} else {
        print "No file was chosen.";    
}

sub Error {
    print "Couldn't open temporary file: $!";
    exit;
    }
[download]

Comment on Upload problem Download Code

Replies are listed 'Best First'.
Re: Upload problem by ajt (Prior) on Oct 01, 2001 at 13:28 UTC
Good to see you using `-wT`, `Strict` and `CGI`. That's a good start to this problem. There are a few things that may help your situation. You have correctly turned taint checking on, but havn't actually de-tainted any data. Unless you clean up user input (the form stuff), Perl will refuse to use it - you should find your servers log is full of error statments. CGI has a nice way to control upload files built in to it, which is better than your counting trick. You count the data after the server has it, which is a bit late. You don't have to, but CGI has nice routines to deal with printing your HTML out for you, it won't fix your problems, but it will make your life easier in the long run. You may find that adding `use CGI::Carp` helps to, as it will send more sensible errors to your server At first glance I'd bet your getting 500 Server errors as your trying to use tainted data to open and write to a file. Have a look in your server log to confirm this, then have a look at: perlsec - to see how you can de-taint data and make it safer to use. cgi - to control file size uploads eg `$CGI::POST_MAX = 64 * 1024;` for 64k maximum, and to do pretty HTML printout see Re: Writing a simple posting script which can be used via the web for a recent example. Have a look at various CGI Upload scripts in Q&A QandASection: CGI programming and other locations it's a popular topic. cgi::carp - If you use this you can send nice error messages to the server logs, and if you use the fatalstobrowser during development, you can even get feedback in your browser. Instead of `exit;` you can say `die "Serious problem $!";` or whatever is useful. This is a small start, I expect you get lots of other tips as well, good luck!	[reply] [d/l] [select]
Re: Re: Upload problem by Willman023 (Scribe) on Oct 04, 2001 at 08:32 UTC
Thanks alot ajt, Three words for you You're the man! I'm now able to save with a variable filename, after turning taint checking off. I don't know how to detaint data, so I just turned tainting off all together. I'm just happy to know what was causing the problem, never would have thought that tainted data would mess it up when using a constant name, it worked so I figured no different for variable, guess I was wrong. Thanks alot for all your words of wisdom! Bryan Willman	[reply]
Answer: Upload problem by Hero Zzyzzx (Curate) on Oct 01, 2001 at 20:49 UTC
Big ups to ajt. Solid explanation. My only addition- when you saw this method in two other books, I bet they didn't have taint checking on. It would be wrong to accept file uploads without taint checking. You're going the right route, your next task is to figure out how to de-taint data, and the links ajt provided will help you get there, especially perlsec Good start! You're almost there.	[reply]
Re: Answer: Upload problem by Willman023 (Scribe) on Oct 04, 2001 at 08:36 UTC
Thanks alot! I would never have thought that tainted data would affect my upload script like it did. I just turned tainting off completely and bingo it worked, I'm not sure how to use tainting and then detaint a certain part of the script, but I'm happy how it is now. Thanks again for your time and input! Bryan Willman	[reply]