in reply to Re: File Upload Script: Security Issue???
in thread File Upload Script: Security Issue???

People are going to download the file by referencing its filename indirectly (using it upload date in epoch seconds): i.e. get.cgi?id=xxxxxxx

The server then takes it's id, looks up it's proper filename in a DB, then sends the file to the browser.

Here's the relevant part of my download script:

open(DLFILE, "<$file_location/$id") || Error('open', 'file');
@fileholder = <DLFILE>;
close (DLFILE) || Error ('close', 'file');

print "Content-Type:application/x-download\n";
print "Content-Disposition:attachment;filename=@filename[0]\n\n";
print @fileholder

[download]

Replies are listed 'Best First'.
Re^3: File Upload Script: Security Issue???
by fmerges (Chaplain) on Jun 28, 2005 at 21:41 UTC

    Hi,

    Don't use something like a epoch, because what happens if you have 2 person uploading... epoch only give you a second accuracy, so I would give them a temporary filename, take a look a File::Temp. Or if you want a next step you can think about giving a filename based on the md5sum of the input file or something else.

    Regards,

    :-)
[reply]

In Section Seekers of Perl Wisdom