Is it possible to use WWW::Mechanize on a file upload field?It's clearly possible to use WWW::Mechanize for file upload: unless you implement some human detection test (e.g. captcha, which usually web server don't), there's no way for the web server to tell if some input came from a human clicking on a form or from a WWW::Mechanize script. Moreover, it's also possible to use "plain" LWP::UserAgent to do this, even if WWW::Mechanize is way easier IIRC.
Or is there something special about this field?There is indeed something special, i.e. the Content-Type of the request has to be set to multipart/form-data instead of the default application/x-www-form-urlencoded. But this should happen automatically. See also docs for HTTP::Request::Common for more info.
And if it is possible, would it not also be possible to pass files as a hidden parameter and possibly steal information?I don't understand this. Unless there's some bug on the server or cgi-script, why should *uploading* a file to the server allow someone to *steal* data from it?
I need to populate a form field for my uploader but if it works, I can't help but think there's a whole security thing with uploaders I wasn't aware of.Uploaders can make a process automatic, so there's pretty the same level of risk that you have with anything you make automatic: it can go damned fast and saturate your resources (bandwidth, disk, whatever). I don't see other particular security issues.
Note that I'm not telling that there aren't security issues, only that I don't see particular differences with respect to other forms of automatisation; probably only the possible target resources are different (in this case, for example, disk space would be threatened, while in others could be not).
Could you be more specific?
Flavio
perl -ple'$_=reverse' <<<ti.xittelop@oivalf
In reply to Re: CGI file uploads
by polettix
in thread CGI file uploads
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |