in reply to File Upload To Selected Directory

Security is a huge issue here.

Many will tell you not to allow the user to select filename/path for their upload. (You decide, and save their choices in a database to let them retrieve the file based on the "vitural" path they selected). In many cases though that's not practical. So make sure the filename is COMPLETELY safe for your system if you can't avoid using the user selections. This means:

  1. Making sure there aren't more "\" in the path.
  2. Making sure the path has only valid characters
  3. Making sure the filename is valid, with only valid characters
  4. Making sure the file doesn't already exist (unless you want to allow overwriting)
  5. Making sure the path doesn't contain ".."
And these are just the ones I could think of immediately. For example, I could upload \..\..\..\WINDOWS\COMMAND.COM and mess up your system. Or I could upload a IIS.INI (or whatever files IIS uses to control its settings) and get permission to do whatever to your files.

You can see File Upload Security Question by Ovid for a more intensive analysis of how paranoid you need to be about security.

Replies are listed 'Best First'.
RE (tilly) 2: File Upload To Selected Directory
by tilly (Archbishop) on Sep 26, 2000 at 21:04 UTC
    Oh there are more, lots more. For instance if you just do: 
      open (FILE, $file) or die "Cannot read $file: $!";

    [download]
    someone can pass a string that turns into a system command. You won't ever catch all of the possible nasties (fun stuff can be done with \0 for instance) which is why you need to make a list of what you explicitly permit and only pass that, rather than plugging the holes individually as you learn them.
[reply]
[d/l]
      you need to make a list of what you explicitly permit and only pass that,

      There is no way to say it better than that, so I'm just replying to draw extra attention to it. tilly++

[reply]
(Ovid - what Perlmonks can do for you) RE(2): File Upload To Selected Directory
by Ovid (Cardinal) on Sep 27, 2000 at 01:14 UTC
    Also, let me point out that the File Upload Security Question was posted by me 3 1/2 months ago. Compare my upload script (and stupid newbie comments) from then as compared to now and you'll see how fast your Perl knowledge can grow on a steady diet of Perlmonks and caffeine :)

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

[reply]

In Section Seekers of Perl Wisdom