Re: File uploading methods compared

$filename = $sourcepath = $query->upload($file);
$filename =~ /([\w. -]+)$/i;
$filename = $1;
$filename =~ s/ /_/g;
[download]

This block appears to be an attempt to return the File::Basename of the upload. Suffice it to say, you should probably leave this to CPAN.

open(OUTPUT, ">$path/$filename") or return ($filename, "Cannot open '$filename'. Contact Webmaster");

This is atypical -- at least as far as my perl experience is concerned. I presume you're implementing your error handling outside of this sub, but I don't see why the abstraction is necessary...

binmode($filename);
binmode(OUTPUT);
[download]

OUTPUT is a filehandle, whereas $filename is a scalar variable (and previously regexed at that). The binmode section of perlfunc states that the first argument must be a filehandle. This improper usage appears inconsequential as I presume you no longer use the scalar; nevertheless, only binmode filehandles. I belive you meant to binmode the input and output filehandles, but you've only opened OUTPUT

while( read($sourcepath, $buffer, 64*2**10) ) {
   print OUTPUT $buffer;
}
[download]

While this may work, you presume that 64k will always be available and you don't appear to check the return and die or warn as appropriate.

The second example is considerably more "perlish", however it should be noted that it doesn't appear CGI-safe either.

my $upload_filehandle = $query->upload("filename");
open UPLOADFILE, ">$upload_dir/$filename";
[download]

There is no taint checking, no basename extraction. This is a potential vulnerability.

I could digress further, but suffice it to say: "if it works, it works" (TIMTOWDI); however please read about taint checking and check the perldoc for the functions you use.

Comment on Re: File uploading methods compared Select or Download Code

Replies are listed 'Best First'.
Re^2: File uploading methods compared by Animator (Hermit) on May 14, 2005 at 15:56 UTC
I certainly agree that you should do taint-checking on the name of the file the users sends you... A simple `open UPLOADFILE, ">$upload_dir/$file"` could corrupt data depending on the application, and the configuration of the webserver. (even worse would be `chdir $upload_dir;open UPLOADFILE, ">$file";` In my opinion you should ALWAYS use the three arguments version of open (something like: open UF, ">", "$upload_dir/$filename" or die $!). , since this does not allow a mode change... (and a mode change could corrupt one of your files and/or your script's configuration file (wihtout knowing the file's name that is, but that depends on the script), and/or running files (but only when there is no mode, in case this this is impossible since you have ">")) As a side note: the OP's code does not need 64kb of data to work, 'read' will try to read a maximum of 64kb of data. (which is quite different)	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: File uploading methods compared
by Animator (Hermit) on May 14, 2005 at 15:56 UTC

I certainly agree that you should do taint-checking on the name of the file the users sends you... A simple open UPLOADFILE, ">$upload_dir/$file" could corrupt data depending on the application, and the configuration of the webserver. (even worse would be chdir $upload_dir;open UPLOADFILE, ">$file";

In my opinion you should ALWAYS use the three arguments version of open (something like: open UF, ">", "$upload_dir/$filename" or die $!). , since this does not allow a mode change... (and a mode change could corrupt one of your files and/or your script's configuration file (wihtout knowing the file's name that is, but that depends on the script), and/or running files (but only when there is no mode, in case this this is impossible since you have ">"))

As a side note: the OP's code does not need 64kb of data to work, 'read' will try to read a maximum of 64kb of data. (which is quite different)

[reply]
[d/l]
[select]