I'm working on a CGI script that accepts an upload and emails it to a preset address. It uses CGI and MIME::Lite for the appropriate bits and is based, in part, on merlyn's column on the subject.

While experimenting with this and reading the relevant documentation, I learned that it was possible control the Encoding of the attachment in the resulting email. For example:

my $cgi = new CGI;
my $file = $cgi->upload( 'uploadfile' );
my $info = $cgi->uploadInfo( $file );

# error checking deleted for brevity.

# Cut the user's path from the file name.  We don't care where 
# they stored it and it prevents most funky browser behavior.

fileparse_set_fstype( "MSWin32" ); # normally risky; "okay" here [1]
my ( $name ) = fileparse( $file );

# more stuff deleted, including validations and user feedback.

my $msg = MIME::Lite->new(
      Type       => 'multipart/mixed',
      From       => $cfg{ "MSGFROM" },   # [2]
      To         => $cfg( "MSGTO" },
      Subject    => $cfg( "MSGSUBJECT" }
   );

$msg->attach(
      Disposition = 'attachment',
      Type        = $info->{ "Content-Type" },
      Encoding    = 'base64';
      Filename    = $name;
      FH          = $file;
   );

# The rest deleted

[download]

My petition is this: Am I making a dangerous assumption about Encoding? As I read the documentation, it should help make the submission slightly more secure as the email travels the wires. However I want to make sure I'm not deluding myself with a bad meme, cargo-cult-programming, or other form of "the usual mistakes."

Please note that I'm not trying to get overly zealous about it. If I was really paranoid, we'd be using PGP keys, etc. I'm just trying to take a reasonable precaution. (You know, lock the door to prevent casual snooping as opposed to determined thieves who can alway throw a brick through your window.)

Footnotes:

  1. Normally, it's dangerous to assume things about the platform a visitor is using. However, this particular script will only be run by selected users, who are all running Win32 or some variation. The project manager said to assume Win32. I'm not happy with the decision, but that's what the project manager wants. *Sigh*

    I only mention to let know know that a) I know it's dangerous and b) it's something I'll address in a later update.

  2. $cfg is a hash containing basic configuration information, as discussed previously.

Thanks in advance...

--f

In reply to Encoding Attachments by footpad

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.