Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Security issues when allowing file upload via CGI

by sparkyichi (Deacon)
on Dec 06, 2001 at 22:13 UTC ( #130014=note: print w/ replies, xml ) Need Help??


in reply to Security issues when allowing file upload via CGI

I would be careful about how the file is transferred. You do not want the user to include directory structures in the file name (such as ../../../../../file.ext). This could be a very bad thing. In this situation I would think that it is best to error on the side of caution. There is to great a possibility to introduce a security hole. Dont forget to taint check.

Sparky


Comment on Re: Security issues when allowing file upload via CGI
Re: Re: Security issues when allowing file upload via CGI
by Aighearach on Dec 07, 2001 at 00:19 UTC
    There is no control there in how it is transfered, assuming it is POSTing it from a web form. It's browser dependent, and browsers send differnt sorts of things. So you have to munge the filename anyways. But you want to do it anyways, because different OSes have different filename standards.

    in my web upload scripts, I use this:

    $filename =~ tr{:\\}{/}; # convert mac and windows directory sep +erators to unix style $filename =~ s{.*/}{}g; # strip everything before the last sepe +rator $filename =~ s{[^\w\-\.]}{}go; # remove funny characters

    --
    Snazzy tagline here

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://130014]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (8)
As of 2014-07-23 02:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (131 votes), past polls