Re: Re(2) (ichimunki): Security issues when allowing file upload via CGI

I like the idea, but don't you have to be careful of this line?

my $file_cmd_output = `file $fn`;

$fn is tainted and doesn't this give them the chance to sneak a command in via $fn? Need to make sure $fn is clean.

Joe.

Comment on Re: Re(2) (ichimunki): Security issues when allowing file upload via CGI

Replies are listed 'Best First'.
Re(4) (ichimunki): Security issues when allowing file upload via CGI by dmmiller2k (Chaplain) on Dec 07, 2001 at 01:50 UTC
Sigh. Yes, you're right about `$fn` being tainted, but I was speaking more to the principle of using the standard NIX command, "`file`" (or reasonable facsimile, such as the perl module File::MMagic, for example) to check the type of the file by examining the first several bytes (or more). Certainly, by the time I intended this code to run, a file would have been uploaded to some directory somewhere. My expectation was that `$fn` would, at the time of the call, contain the full pathname to this file, and would not necessarily have been entered directly by a web-page user. But then, I DID fail to document these expectations (read: preconditions, using programming-by-contract terminology), so I deserve to be chastised for it. (takes 40 lashes with a wet noodle) dmm You can* give a man a fish and feed him for a day ... Or, you can teach him to fish and feed him for a lifetime	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re(4) (ichimunki): Security issues when allowing file upload via CGI
by dmmiller2k (Chaplain) on Dec 07, 2001 at 01:50 UTC

Sigh.

Yes, you're right about $fn being tainted, but I was speaking more to the principle of using the standard *NIX command, "file" (or reasonable facsimile, such as the perl module File::MMagic, for example) to check the type of the file by examining the first several bytes (or more).

Certainly, by the time I intended this code to run, a file would have been uploaded to some directory somewhere. My expectation was that $fn would, at the time of the call, contain the full pathname to this file, and would not necessarily have been entered directly by a web-page user.

But then, I DID fail to document these expectations (read: preconditions, using programming-by-contract terminology), so I deserve to be chastised for it.

(takes 40 lashes with a wet noodle)

dmm


You can give a man a fish and feed him for a day ...
Or, you can teach him to fish and feed him for a lifetime

[reply]
[d/l]
[select]