Is it possible to use WWW::Mechanize on a file upload field?
It's clearly possible to use WWW::Mechanize for file upload: unless you implement some human detection test (e.g. captcha, which usually web server don't), there's no way for the web server to tell if some input came from a human clicking on a form or from a WWW::Mechanize script. Moreover, it's also possible to use "plain" LWP::UserAgent to do this, even if WWW::Mechanize is way easier IIRC.
Or is there something special about this field?
There is indeed something special, i.e. the Content-Type of the request has to be set to multipart/form-data instead of the default application/x-www-form-urlencoded. But this should happen automatically. See also docs for HTTP::Request::Common for more info.
And if it is possible, would it not also be possible to pass files as a hidden parameter and possibly steal information?
I don't understand this. Unless there's some bug on the server or cgi-script, why should *uploading* a file to the server allow someone to *steal* data from it?
I need to populate a form field for my uploader but if it works, I can't help but think there's a whole security thing with uploaders I wasn't aware of.
Uploaders can make a process automatic, so there's pretty the same level of risk that you have with anything you make automatic: it can go damned fast and saturate your resources (bandwidth, disk, whatever). I don't see other particular security issues.
Note that I'm not telling that there aren't security issues, only that I don't see particular differences with respect to other forms of automatisation; probably only the possible target resources are different (in this case, for example, disk space would be threatened, while in others could be not).
Could you be more specific?
Flavio
perl -ple'$_=reverse' <<<ti.xittelop@oivalf
Don't fool yourself.
| [reply]
[d/l]
[select] |
By security issues I mean passing data upload fields to forms that may or may not be checking all data that comes to it.
It's one thing to send some screwed up data (or maybe even some spam to a contact form) but to be able to actually send files to the server is something that doesn't really suprise me but I never thought about it.
Even if the form knows better than to accept unknown data, it's still sending all that extra file data to the server.
Guess there's really no way to prevent that though.
I was also thinking whether or not it was possible to pass a hidden form field AS a file upload field. Like download specific C:\ files on which the user doesn't know they are uploading.
| [reply] |
Ah, now I understand.
On one hand, the fact that you give the possibility to upload something also exposes you to the fact that someone could actually upload something you don't want, being it a troll or a troll-script. As you say, there's really little to do with it, but I'd like to point out that this has little to do with an uploader script.
The other question deals with the browser more than a WWW::Mechanize script. There is a specific form input element (its type is, unsurprisingly, file) that allows file uploads, and this is usually shown as an entry box with a bundled button that lets you "browse..." through the filesystem. Given the fact that a form input element cannot be of two types at once(i.e. hidden and file), I'd sleep quietly from this point of view.
Flavio
perl -ple'$_=reverse' <<<ti.xittelop@oivalf
Don't fool yourself.
| [reply] |