(Ovid) Re: 52K maximum file upload?

chromatic pointed out the max upload situation with CGI.pm, but I wanted to point out something different: you can have multiple values for a name.

For instance, imaging you have two checkboxes, both named "color". One is for "red" and the other is for "blue" and you have both checked when you submit the form. CGI.pm will correctly read them both. You would use the following to retrieve both values:

my @colors = $cgi->param( 'color' ); # Note the array
[download]

In your snippet above, name all of the files "file" and you can use this to populate your files array:

@files = cgi->param( 'file' );
[download]

Since you're already pushing your filehandles into @files, you won't have any changes to your logic, but you'll have reduced 14 lines of code to 1. Much easier to maintain and extend that way.

And the obligatory: you forgot to use strict or taint checking.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on (Ovid) Re: 52K maximum file upload? Select or Download Code

Replies are listed 'Best First'.
Re: (Ovid) Re: 52K maximum file upload? by Stamp_Guy (Monk) on Nov 29, 2000 at 06:15 UTC
Thanks for that suggestion. I didn't realize that shortcut would work. I added a line that says: `$CGI::POST_MAX=1024 * 5000;` but it doesn't work. Any ideas?	[reply] [d/l]
(Ovid - you have a security hole) Re(3): 52K ... by Ovid (Cardinal) on Nov 29, 2000 at 07:13 UTC
Looking through your code, I can't see any obvious reason why this would be a problem. Could it be a limitation of your Web server? Another thing to check could be to use Data::Dumper to examine the contents of the CGI object to see if everything is getting through. `use Data::Dumper; print $cgi->pre( Dumper( $cgi ) );` [download] That will get you looking at the inside of the CGI object and it's a pretty hairy thing. Once you've verified that all of your filehandles are in there, you could possibly narrow things down. It's not for the faint of heart, though. In the meantime, you might want to look at a rather significant security hole you have in your script: `$file=~m/^.(\\\|\/)(.)/; # strip the remote path and keep the filenam +e $name = $2; open(LOCAL, ">$dir/$name") or die $!; #open file` [download] See that little dot star at the end of your regex? I specify the right filename and you're toast. I could use that for reverse directory traversal and append a pipe to the end of the filename to cause it to be executed instead of opened. Got any programs on your system that you don't want a cracker to run? Another problem with it is that there is no test for failure. If it does not match, $2 may have a value from a previous match. Since you're iterating over this, it's a BAD THING. Try the following regex. It assumes that only letters, numbers, and underscores are in your filename, plus the possibility of one extension delimited by one period. `( $name ) = ( $file =~ /(\w+(?:\.\w+)?)$/ ); # Note the $ which anchor +s to the end of string` [download] As a style issue, you may want to rewrite the following: `($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time +);` [download] Since you are only using the minutes and seconds from this, you can rewrite it as: `my ( $sec, $min ) = (localtime( time ) )[0,1];` [download] Last note: I was really trying to avoid touting my CGI course again (too much blowing my own horn is not a good thing), but I really thing you could benefit from my lesson on security. It's free and all you can eat. Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply] [d/l] [select]