I NEVER allow users to set the filename on my server. You are stripping slashes from the user-supplied name, so you have the right idea. But, why open any security hole on your server?
Provide your own filename for any upload (since you do not allow outside access to these files, you could simply number them sequentially -- we normally create random filenames anyway), and then tie the real filename to the user's intended filename with a database, etc.
To expand on your actual question ("what type of security holes exist with a browse button?"), the issue is not the browse button. You can be relatively confident when planning for the data from a browse button (file upload). The people about whom you should worry are those who will submit to your server without using the built-in tools. These people will send you something the browse button never will. That's why we have to be paranoid, and never trust anything from userland.
It's a common misconception in most newbie CGI'ers: just because you provide (or don't provide) a button or field or a certain piece of data, you may never trust it. A user/would-be-hacker can easily submit false information to you. If you send a page with a Client Number in a hidden field, for example, you cannot trust that Client Number when performing any operation. Anyone could have forged it. Is it "The X-Files" with the motto "Trust No One!"? Believe it when doing CGI.
Russ
In reply to Re: File Upload Security Question
by Russ
in thread File Upload Security Question
by Ovid
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |