Hello,

I use Catalyst in a similar context. It is working really well.

Have you worked through the tutorial? I'm sure once you do, you'll realize that by default there is really very little that Catalyst does. It is basically nothing more than a tool to map URLs to perl subroutines in a http context. But it does this job very well.

Of course it has a lot of other plugins and features built around the dispatcher. If you really want to give the framework a thorough review, get the Catalyst book, and lurk in #catalyst on irc.perl.org.

Regards,

Catalyst::Plugin::RequireSSL

Is Catalyst mature enough to be used in such a setting?

Yes.

If not, is there another system that may seem suitable?

Yes, but none as fast as Catalyst:-).

An example:

#!/usr/bin/perl

use strict;
use warnings;
use Catalyst;
MyApp->setup( qw/RequireSSL/ );

My App->config->{require_ssl} = {
             https => 'secure.mydomain.com',
             http   => 'www.mydomain.com',
             remain_in_ssl => 1,
                         no_cache => 1;
};
[download]

$c->require_ssl;
[download]

What do you mean by breaking into the system ? Do you mean through the network and you require SSL to be enabled for the user upload like Khen1950fx suggested ?

Or breaking into your box through some kind of injections?

You'll have to keep in mind while working that nothing will do the security checks for you, You'll have to do everything on your own.

Use catalyst if you want to build MVC based website, if you are not familiar with it or you don't want an MVC based web application then just use Template Toolkit and CGI::Application.

Normally for file upload you'll have to keep the uploaded file outside of your public_html folder (in the parent dir?) so it's not web accessible, and you should have suexec enabled webserver so your perl script run with your username not the webserver's username, then you'll have to change the permission of the file(s) so only your website user can read it.

for the download you can make a script that will take care of this using a database where only authenticated users can download their own files.

finally, if you do care too much about your web application getting cracked you might consider hiring a security consultancy to check out your web application (although they might not be perfect on their own, but they may be able to eliminate few exploits).

Thank you very much for your advice! SSL is indeed necessary, and Catalyst seems to be able to handle this in a nice way.

Or breaking into your box through some kind of injections?

Yes, apart from securing the communication channel via SSL, this is one of my primary concerns -- that there may be, for example, an unsecured SQL statement in one of Catalyst's subclasses that may be used for SQL injection, or some kind of exploit to read local files.

You'll have to keep in mind while working that nothing will do the security checks for you, You'll have to do everything on your own.

ahmad, do you mean that I have to, for example, pre-check input before the Catalyst dispatcher gets its hands on it?

Catalyst proper contains no SQL handling whatsoever. It's mostly just a dispatch framework with hooks for arranging various pieces into controllers, models, and views.

While adding in those parts it will be your responsibility to choose prefab/drop-in components that are secure or to write your own. DBIx::Class is a commonly used model driver, e.g., which is secure if used properly. It runs SQL parameters through DBI binding, for example.

If you have concerns about a particular piece or plugin, definitely bring them up on the Catalyst mailing list. You'll likely be soothed and if you discover a real issue, you'll see developers jump to fix it. A lot of very smart hackers work with Catalyst so the odds that it and its major extensions are safe are higher than they would be rolling your own; even if you were smarter than all of them. :) More eyes, more hands, more test suites, more live deployments.