in reply to Re^2: Testing file input validity in FF
in thread Testing file input validity in FF
Here's a few checks you could easily add:
It looks like you're assuming that it's a text file, and you read it into memory line by line. But what if someone accidentally sends you a large binary file (maybe it's the correct file, only it's been zipped)?
Here's a revised version of your upload() function that uses read() to read the file into a buffer 1kb at a time, and abort if it looks too big (you can set your own limit).
sub upload { my $self = shift; my $q = $self->query; if(untaintFile($q->param('file')) && $q->upload('file')) { my $filename=untaintFile($q->param('file')); ($filename) = $filename =~ /([[:ascii:]]+)/; unless($filename) { croak "no filename given!"; } my $file = $q->upload('file'); unless($file) { croak "can't get filehandle for upload!"; } my $data; my $buffer; my $bytesread = 0; my $totalbytes = 0; while($bytesread = read($file, $buffer, 1024)) { $totalbytes += $bytesread; if($totalbytes > $MAX_DATA_LIMIT) { croak "upload file too big!"; } $data .= $buffer; } unless ($data) { croak "no data!"; } else { my $thisfile = File->parse($data); if(my $format_error = $thisfile->check_formatting()) { # warn if any format errors found return; } my $file_id = $self->file_upload({ name => $filename, data => $data, }); } } $self->header_type('redirect'); $self->header_props(-url => "$CONFIG{userbase}/user.pl"); return; }
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re^4: Testing file input validity in FF
by ksublondie (Friar) on Feb 19, 2009 at 20:30 UTC |