in reply to File Upload Script: Security Issue???

I guess that it really depends on what happens with these files AFTER they have been uploaded. It doesn't matter at all what is in the file that is being uploaded... It will never be executed in your code. Unless you are at some point exec()'ing the contents of the file (ps. NEVER NEVER NEVER exec use supplied data!) then the contents of the file will stay just as they are: the contents of the file.

If somehow the file was being placed into a portion of the web server that WAS accessible, and the file was executable, then you would have a different story on your hands, but you did say that it would be stored in a non-accessible directory as well.

Given what you've told us so far, you appear to be safe as written.
  • Comment on Re: File Upload Script: Security Issue???

Replies are listed 'Best First'.
Re^2: File Upload Script: Security Issue???
by awohld (Hermit) on Jun 28, 2005 at 21:17 UTC
    People are going to download the file by referencing its filename indirectly (using it upload date in epoch seconds): i.e. get.cgi?id=xxxxxxx

    The server then takes it's id, looks up it's proper filename in a DB, then sends the file to the browser.

    Here's the relevant part of my download script:

    open(DLFILE, "<$file_location/$id") || Error('open', 'file');
@fileholder = <DLFILE>;
close (DLFILE) || Error ('close', 'file');

print "Content-Type:application/x-download\n";
print "Content-Disposition:attachment;filename=@filename[0]\n\n";
print @fileholder

    [download]
[reply]
[d/l]

      Hi,

      Don't use something like a epoch, because what happens if you have 2 person uploading... epoch only give you a second accuracy, so I would give them a temporary filename, take a look a File::Temp. Or if you want a next step you can think about giving a filename based on the md5sum of the input file or something else.

      Regards,

      :-)
[reply]

In Section Seekers of Perl Wisdom