Can anyone help me make uploading files from a webform more secure? I know i have to watch for backticks, ., .., and such.............is there a simple regex that covers all this? I recall seeing one before but I can't seem to find it........thanks 
#!/usr/bin/perl -w

$| = 1;

use CGI qw(param);
use strict;

my $file = param("file");
my @file_name = split(/\\/,$file);
my $file_name = pop(@file_name);
my $max_file_size = 2000000;
my $base_dir = "/home/ducc/";
my $out_file = $base_dir . $file_name;
my $log_file = $base_dir . "upload.log";
my ($total_bytes_read, $ip_log, $time_log);

print "Content-type: text/html\n\n";
open (OUT, ">$out_file") || die "Can't open: $!";
open (LOG, ">>$log_file");
  while (my $bytes_read = read($file, my $buffer, 1024)){
    $total_bytes_read += $bytes_read;
    $ip_log = $ENV{'REMOTE_ADDR'};
    $time_log = scalar localtime;
      if ($bytes_read > $max_file_size){
        print "ERROR: The file you tried to upload is will not be uplo
+aded<br>";
        print "Your file is: $bytes_read bytes<br>";
        print "The max file size you can upload is $max_file_size byte
+s<br>";
        close (OUT);
        unlink ($out_file);
        print LOG "ERROR: $time_log: $ip_log tried to upload $out_file
+ that was $bytes_read bytes\n";
        die "$time_log: $ip_log tried to upload a file > $max_file_siz
+e";
      }else{
        print OUT "$buffer";
        print LOG "$time_log: $ip_log uploaded $out_file that was $byt
+es_read bytes\n";
      }
  }
close (OUT) || die "Can't close: $!";
close (LOG);

print "Completed uploading $file_name: $total_bytes_read bytes<br>";
print "Done...";

[download]

In reply to Help make upload from web secure by dchau

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.