Re^2: File upload became deaf after upgrading from 5.8.7 to 5.8.9

Hey Khen, thanks for the reply!

Tell me, wich security reasons? You mean it does some security checks? (I didn't find it in the docs)

Also, folks, I think the reason I interpreted from the issue was the opposite: the my $q = new CGI; inside the sub probably emptied the POSTed data that was captured by the my $q = new CGI; in the beginning of the main script.

Curious thing is that it only bothers the upload() method, and not the param(). That shall make a lot of people go crazy.

Thanks

André

Comment on Re^2: File upload became deaf after upgrading from 5.8.7 to 5.8.9 Select or Download Code

Replies are listed 'Best First'.

Re^3: File upload became deaf after upgrading from 5.8.7 to 5.8.9
by Khen1950fx (Canon) on Nov 05, 2010 at 14:01 UTC

Which security reasons?

You'll find the reasons in the PRAGMAS subsection. Look for -private_tempfiles. Here, quoting the documentation:

-private_tempfiles

"CGI.pm can process uploaded file. Ordinarily it spools the uploaded file to a temporary directory, then deletes the file when done. However, this opens the risk of eavesdropping as described in the file upload section. Another CGI script author could peek at this data during the upload, even if it is confidential information. On Unix systems, the -private_tempfiles pragma will cause the temporary file to be unlinked as soon as it is opened and before any data is written into it, reducing, but not eliminating the risk of eavesdropping (there is still a potential race condition). To make life harder for the attacker, the program chooses tempfile names by calculating a 32 bit checksum of the incoming HTTP headers".

"To ensure that the temporary file cannot be read by other CGI scripts, use suEXEC or a CGI wrapper program to run your script. The temporary file is created with mode 0600 (neither world nor group readable)".

[reply]


XP is just a number
	PerlMonks