It is a good idea to limit uploads, but probably not at the application level, unless you have a compelling business rule. You do have to decide if you really want limits on the size of one upload, or the total size of uploads, and the location where the uploads will be stored. I am assuming that you are allowing anonymous uploading and that opens a whole different can of worms. This will require you to filter out potentially bad file names, destructive HTML, Perl, and Java code, and a whole bunch of other security problems. On the other hand, I would do this even with authenticated users, because a lot of sabotage comes from within an organization.

I would recommend only allowing authenticated users to do uploading. Your first level of protection should be authentication. I would then recommend limiting the size of each upload and the total size per application or user. If you are using Apache servers, you can set some limits at the server level Apache Limits . But this limit is only for each individual file. Your Perl code can also limit the file size. In this example, the author creates temporary directories on the fly so that someone cannot guess the directory name and some how force an upload. I have seen this technique used a lot so I would recommend it if you are concerned about DoS attacks. Quick and Dirty Method . Here is another example, which uses a text file that could be the starting point for tracking the total size uploaded by application or user. User Tracking .

On the Perl side of the uploading CGI, I would log all requests for uploading, including the IP address, authenticated name, file name, file size, and a success code. This audit trail is most useful for finding problems and detecting attacks.

In closing, I would hope that you would not rely on a single point of failure to protect your uploads. A good blend of Operating System, Server, and Perl limits should give you a good three-layer umbrella.

Richard

There are three types of people in this world, those that can count and those that cannot. Anon

In reply to Re: CGI upload limit by richardX
in thread CGI upload limit by Ryszard

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.