It is acceptable to use the uploaded file name if the input is validated sufficiently. First is removing characters that could cause problems for the shell. This will prevent attacks against the shell and also help with giving file names that don't encoding or special processing. Also good is using the three argument form of open.
my $path = File::Spec->catfile($dir, $file);
open(OUT, '>', $path) or die;
Another check is to remove any directory components. This prevents writing to files elsewhere on the filesystem. It guarantees that the files go in the right directory.
It is a good idea to separate uploaded files into their own directory. If there is some authentication to control who can upload, then overriding an existing file isn't a security hole.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.