Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

Roger that!!

Had it not been for Micro$oft's feature-laden behemoths, (and their commensurate security patches, and security-patch patches, and so on, new ones of which seem to be required almost daily), nevermind OS-related issues, there might never have erupted as pervasive an anti-virus cottage industry as we have (which has since become a full-fledged industry).

I think you should quarantine uploaded files and run the shell command,

file {upload filename}

on them to confirm they are what they purport to be.

use File::Basename; sub validate_image _file { my $fn = shift; my %file_types = ( jpg => 'JPEG file', jpeg => 'JPEG file', gif => 'GIF file, v8[79]' ); my $ext = lc (fileparse $fn )[-1]; # get suffix return 0 unless exists $file_types{$ext}; my $file_cmd_output = `file $fn`; chomp $file_cmd_output; return 0 unless $file_cmd_output =~ /^$file_types{$ext}$/; # OK, we probably have what we think we have # go ahead and make it accessible, etc. accept_file( $fn ); # ... or whatever return 1; }

Update: The expectation here is that before this subroutine is called, a file has already been uploaded (ostensibly one whose name ends in .jpg, .jpeg, or .gif) and "quarantined" -- that is, stored somewhere "safe", out of harm's way -- and that the parameter, $fn, to the sub is the full path to this file.

(Thanks, nufsaid, for bringing up the issue of the tainted-ness of $fn)

dmm

Just call me the Anti-Gates ...

In reply to Re(2) (ichimunki): Security issues when allowing file upload via CGI by dmmiller2k
in thread Security issues when allowing file upload via CGI by George_Sherston

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others examining the Monastery: (13)
    As of 2015-07-07 18:48 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









      Results (93 votes), past polls