Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re(4) (ichimunki): Security issues when allowing file upload via CGI

by dmmiller2k (Chaplain)
on Dec 07, 2001 at 01:50 UTC ( #130085=note: print w/ replies, xml ) Need Help??


in reply to Re: Re(2) (ichimunki): Security issues when allowing file upload via CGI
in thread Security issues when allowing file upload via CGI

Sigh.

Yes, you're right about $fn being tainted, but I was speaking more to the principle of using the standard *NIX command, "file" (or reasonable facsimile, such as the perl module File::MMagic, for example) to check the type of the file by examining the first several bytes (or more).

Certainly, by the time I intended this code to run, a file would have been uploaded to some directory somewhere. My expectation was that $fn would, at the time of the call, contain the full pathname to this file, and would not necessarily have been entered directly by a web-page user.

But then, I DID fail to document these expectations (read: preconditions, using programming-by-contract terminology), so I deserve to be chastised for it.

(takes 40 lashes with a wet noodle)

dmm


You can give a man a fish and feed him for a day ...
Or, you can teach him to fish and feed him for a lifetime


Comment on Re(4) (ichimunki): Security issues when allowing file upload via CGI
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://130085]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2015-07-02 23:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (47 votes), past polls