Re^2: File upload with empty temp handle value

"Please do not let random uploaders from the outside give files names on your system."
This name "/tmp/967iaq5eJv" is not been assigned by the user, there is check in place for it, but its the value of this line of code:

my $tmp_file = $cgi->tmpFileName( $file_name );
[download]

I am trying to know why its empty. And if I could change its default to another location.

Comment on Re^2: File upload with empty temp handle value Download Code

Replies are listed 'Best First'.
Re^3: File upload with empty temp handle value by Corion (Patriarch) on Jan 15, 2018 at 20:09 UTC
Please re-read the documentation. You initialize `$file_name` from `$cgi->param('doc');`. The documentation of CGI initializes it from `$cgi->upload(...)`. Maybe if you try that the name won't be empty. Later in your code, you are trusting that the user did not set the filename to something like `../remote-shell.php` or even `./remote-shell.php`. Giving users the ability to specify the content and the name of a file on your system is a really bad idea.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^3: File upload with empty temp handle value
by Corion (Patriarch) on Jan 15, 2018 at 20:09 UTC

Please re-read the documentation. You initialize $file_name from $cgi->param('doc');. The documentation of CGI initializes it from $cgi->upload(...). Maybe if you try that the name won't be empty.

Later in your code, you are trusting that the user did not set the filename to something like ../remote-shell.php or even ./remote-shell.php. Giving users the ability to specify the content and the name of a file on your system is a really bad idea.

[reply]
[d/l]
[select]