in reply to Re: CGI file uploads
in thread CGI file uploads

By security issues I mean passing data upload fields to forms that may or may not be checking all data that comes to it.

It's one thing to send some screwed up data (or maybe even some spam to a contact form) but to be able to actually send files to the server is something that doesn't really suprise me but I never thought about it.

Even if the form knows better than to accept unknown data, it's still sending all that extra file data to the server.

Guess there's really no way to prevent that though.

I was also thinking whether or not it was possible to pass a hidden form field AS a file upload field. Like download specific C:\ files on which the user doesn't know they are uploading.

Replies are listed 'Best First'.
Re^3: CGI file uploads
by polettix (Vicar) on Mar 13, 2006 at 18:07 UTC
    Ah, now I understand.

    On one hand, the fact that you give the possibility to upload something also exposes you to the fact that someone could actually upload something you don't want, being it a troll or a troll-script. As you say, there's really little to do with it, but I'd like to point out that this has little to do with an uploader script.

    The other question deals with the browser more than a WWW::Mechanize script. There is a specific form input element (its type is, unsurprisingly, file) that allows file uploads, and this is usually shown as an entry box with a bundled button that lets you "browse..." through the filesystem. Given the fact that a form input element cannot be of two types at once(i.e. hidden and file), I'd sleep quietly from this point of view.

    Flavio
    perl -ple'$_=reverse' <<<ti.xittelop@oivalf

    Don't fool yourself.
[reply]

In Section Seekers of Perl Wisdom