The proper way to do it would be to have it saving the files to a directory where the user apache (or whatever web server) runs as has write permission. chmoding the directory to 777 is overkill... Ideally, you could use suexec with apache, but that may not be an option depending on who runs the server. Worst case, I'd suggest you create a new directory solely to receive uploads from your script and set its permissions to 733 (anyone can write to the directory, but only you can read it) which will at least prevent people from seeing what's there. .htaccess can probably also be used to help keep prying eyes at bay.

Looking over the code, I see one glaring problem: You're too lax when untainting $file. You also need to check that it doesn't start with a / or contain .. unless you want to let people upload files to /bin/bash or ../../../bin/ls. (If the Apache module is available, you can use server_root_relative($file) to clean up incoming paths.) Also note that the regex you're using to untaint $file will happily accept 'path/to/somewhere/deeper/than/you/want', although I suspect you don't want it to. If you want $2 to end up with only the final component of a path, use /\/([^\/\\]+)^/ instead.

I suppose the big question, though, is "What are you trying to accomplish?" TIMTOWTDI, but the way you've chosen seems a bit awkward. There's probably an easier way to do what you intend.

In reply to Re: File upload and directory permissions by dsheroh
in thread File upload and directory permissions by Baz

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.