Help with a File Upload

elusion has asked for the wisdom of the Perl Monks concerning the following question:

Well fellow monks, here I am again. Seeking help.

I'm having trouble with a script I'm writing. It's supposed to upload files using CGI, but it's not working. This is my first time attempting this, so it's probably something simple. Here goes.

The Code

if ($event = $cgi->param('event')) {
    $description = $cgi->param('description');
    $fh = $cgi->upload('file');
    my $file4desc = $fh;
    $file4desc =~ s/\.\w+$/\.txt/;
    if (-e "$event/$file4desc") {
        print "There's already a file under that name. Please rename t
+he file and try again.";    
    } else {
        open FILE, ">$event/$fh";
        while (<$fh>) {
            print FILE $_;
        }
        close FILE;
        open DESC, ">$event/$file4desc";
        ($sec,$min,$hour,$date,$mon,$year,$wday,$ydat,$isdst) = localt
+ime();
        $year += 1900;
        $mon++;
        print DESC "$description added $mon/$date/$year by $username";
        close DESC;
        print "Uploaded $fh";
    }
} else {
    my @events = ('event1,event2,event3');
    print "<form method='POST' action='index.pl' enctype='multipart/fo
+rm-data'>\n";
    print "<input type='hidden' name='node' value='upload'>\n";
    print "<h2>Upload</h2>\n";
    print "<b>Event:</b><br>\n";
    print "<select name='event'>\n";
    foreach $event (@events) {
        my $presentable = $event;
        $presentable =~ s/_/ /g;
        print "<option value='$event'>$presentable\n\n";
    }
    print "</select><p>\n";
    print "<b>File:</b><br>\n";
    print $cgi->filefield(-name => 'file');
    print "<p><b>Description:</b><br>\n";
    print "<textarea name='description' rows=6 cols=50></textarea><br>
+\n";
    print "<input type='submit' value='upload'>\n";
    print "</form>";
}
[download]

This doesn't work, for some reason it quites after calling $cgi->upload Does anyone know why this happens? (For those wondering, this isn't the whole script.)

- p u n k k i d
"Reality is merely an illusion, albeit a very persistent one." -Albert Einstein

Comment on Help with a File Upload Select or Download Code

Replies are listed 'Best First'.
Re (tilly) 1: Help with a File Upload by tilly (Archbishop) on Feb 18, 2001 at 03:48 UTC
If I were you I would check the error logs. I would also suggest adding more informative dies, and paying attention to security. For instance look at perlsec, turn on taint checking, and stop trusting that user-supplied filenames will be clean. Here is a simple working example I did a while ago which just echoes the file back to the browser. For more information on some of the security issues that need to be addressed, you may wish to visit the WWW Security FAQ including this section on CGI scripts. Or you can just wander by some samples of how people actually crack scripts. (Hint, it is your vulnerability to some of these cracks that made me sit down and write this. I leave it to you to figure out which ones...) For a random past discussion on this (which explains both why you cannot safely ignore these attacks and gives some pointers on how to protect yourself) take a look at Warning our Fellow Monks.	[reply]
Re: Re (tilly) 1: Help with a File Upload by elusion (Curate) on Feb 18, 2001 at 04:23 UTC
...turn on taint checking... If you look up to my original post it says that it's not the whole script. grin Taint checking's on. ...adding more informative dies... I know where the script breaks. Right after the call to upload. I do my research. grin - p u n k k i d "Reality is merely an illusion, albeit a very persistent one." -Albert Einstein	[reply]
Re (tilly) 3: Help with a File Upload by tilly (Archbishop) on Feb 18, 2001 at 04:40 UTC
If taint checking is on then your probable problem is the fact that there is tainted data. Check your logs. As for "doing your research", wrong answer. If you follow the advice in perlstyle you will minimize the chance that an unexpected error will wind up in a bad state but proceeding blindly. And by actually capturing error in an informative way you make it so that if something goes wrong then you generally have your answer in front of you before you start trying to debug. This is item which I feel very strongly about. Not knowing that error checks are important is one thing. But having a programmer be unwilling to learn to put in those checks is a fireable offence in my books. (And there are not a lot of things that I call fireable offences!)	[reply]
Re: Help with a File Upload by dws (Chancellor) on Feb 18, 2001 at 03:54 UTC
Hint: What type of thing is `param('file')` and how might that be useful to you in this situation? (The answer is in the POD documentation in CGI.pm) Bonus hint: use `-T` to turn on taint checking, and fix the problems that it reports. Update: If you're already taint checking, then you need to look carefully at what happens if someone inserts some hostile code into `$description`.	[reply] [d/l] [select]