in reply to File upload with empty temp handle value

Please do not let random uploaders from the outside give files names on your system.

Ideally, you save the uploaded data to a file using a random name (or simply a number) and store the uploaded filename in a database together with the local name on your filesystem.

The actual filename of your temporary upload file is available through the ->upload() and ->tmpFileName methods. But the CGI documentation shows their usage different from what you do:

my $filehandle  = $q->upload( 'uploaded_file' );
my $tmpfilename = $q->tmpFileName( $filehandle );

[download]

Maybe if you adapt your code to use the functions as in the documentation it will work better?

Personally, I would use File::Copy to copy data from the /tmp directory instead of hoping that rename will work.

Maybe you will also find Text::CleanFragment helpful, which converts arbitrary text to ASCII without spaces, which is mostly harmless to use in filenames.

Replies are listed 'Best First'.
Re^2: File upload with empty temp handle value
by Anonymous Monk on Jan 15, 2018 at 19:46 UTC
    "Please do not let random uploaders from the outside give files names on your system."
    This name "/tmp/967iaq5eJv" is not been assigned by the user, there is check in place for it, but its the value of this line of code:
    my $tmp_file = $cgi->tmpFileName( $file_name );

    [download]
    I am trying to know why its empty. And if I could change its default to another location.
[reply]
[d/l]

      Please re-read the documentation. You initialize $file_name from $cgi->param('doc');. The documentation of CGI initializes it from $cgi->upload(...). Maybe if you try that the name won't be empty.

      Later in your code, you are trusting that the user did not set the filename to something like ../remote-shell.php or even ./remote-shell.php. Giving users the ability to specify the content and the name of a file on your system is a really bad idea.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom