Beefy Boxes and Bandwidth Generously Provided by pair Networks RobOMonk
Problems? Is your data what you think it is?
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

The only major issues I see with it are: (a) making sure that quotas on the system are maintained, (b) permissions issues, and (c) potentials for liability for downloaded content. I am assuming there would also be a need for an authentication system to permit only users on the system to upload.

Quotas: You need to test that the files uploaded fall under the user's quota. I saw a system once that datafiles created by a CGI were owned by the user the webserver ran as, which resulted in them not appearing properly in the user's quota. You also will want to make sure that the user (and group, on systems with that feature) they show up in are correct, and have quotas in place, to prevent someone from filling the site or group's quota, or in the worst case, the partition or drive itself.

Permissions issues: On a *nix system, 644 would likely be the better permission to use. (For reference, the first place in the number is the permissions for the owner, the next for the group, the last for others on the system, and the value is the sum of the permissions, where 4 is read permission, 2 is write permission, and 1 is execute permission.) On other systems, permissions should be set so the uploaded data is not executable on the server. IF you are allowing users to upload CGI scripts, then that will be a special case, needing EXTREME care.

Download issues: Others above in this thread have made cases regarding when others download the content, so I will not repeat poorly their comments. Issue is, though, that any website can wittingly or unwittingly contain harmful content (which partially depends on your definition of "harmful"), and all you can reasonably be expected to do is try to make it more difficult for someone to post something intentionally.

In my own experience (which may or may not prove applicable to you), I had to set up a system for submitting files to a site that would notify the site owner of the submission. My solution was to have the uploads go to directory that was readily visible from the site, rename the file and set it non-executable, owned by the site owner's user/group, and send the site owner a link to the file, along with the name the submitter suggested. Beyond that, as a coder, I could only advise the site owner to use caution in dealing with the files.

Something else you may wish to look into, which I have heard of but never tried, is loading the content into, and pulling it from, a database. Of course, this is only if that would be appropriate for said content, and as always, YMMV.


In reply to Re: Security issues when allowing file upload via CGI by atcroft
in thread Security issues when allowing file upload via CGI by George_Sherston

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others romping around the Monastery: (12)
    As of 2014-04-23 17:47 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      April first is:







      Results (551 votes), past polls