comment on

Any inputs on this context would be very helpful.

See Re: Insecure dependency in open while running with -T switch and use taint

If you use File::Path;, actually use it, don't shell out to mkdir

If you use CGI; then don't look at QUERY_STRING, use CGI or die;

It is completely unclear why you're bothering with the upload hook, so get rid of it :) You can use File::Copy for CGI upload, like this

#!/usr/bin/perl --
use constant DEBUG => !!( 0 || $ENV{PERL_DEBUG_MYAPPNAME} );
use CGI::Carp qw( fatalsToBrowser );
use CGI;

# to avoid those pesky 500 errors
BEGIN {
    CGI::Carp::set_message(
        sub {
            print "<h1>something broke, we know what it is, thank you,
+ try again later</h1>\n";
            if (DEBUG) { # secrets
                print '<p>', CGI->escapeHTML(@_), '</p>';
            }
        }
    );
} ## end BEGIN


use strict;
use warnings;
use Data::Dumper ();
use File::Copy qw' copy ';

Main( @ARGV );
exit( 0 );

sub Main {
    
#~     return DebugCGI(); # generic, env.cgi
    return SaveUploadsTo(
        CGI->new,
        [qw' file otheruploadfile andAnother '],
        '/destination/dir/where/uploads/end/up', 
    );
} ## end sub Main


sub SaveUploadsTo {
    my( $cgi,  $uploadFields , $destDir ) = @_;
    chdir $destDir
      or die "Cannot chdir to upload destination directory: $!\n";
    print $cgi->header;
    for my $field ( @{ $uploadFields } ){
        my $filename = $cgi->param( $field );
        my $tmpfilename = $cgi->tmpFileName( $filename );
        $filename = WashFilename( $filename ) ;
        
        my $destFile = File::Spec->catfile( $destDir, $filename );
        
        copy( $tmpfilename, $destFile )
          or die "Copy to ( $destFile ) failed: (( $! ))(( $^E ))";
        
        print "<p>Sucessfully uploaded  ",
            CGI->escapeHTML( $filename  ),
            " thanks</p>\n";
    }
    print "<P>done processing uploads</p>\n";
} ## end sub SaveUploadsTo

sub DebugCGI {
    my $cgi = CGI->new;
    print $cgi->header();    # Write HTTP header
    print $cgi->start_html,
      $cgi->b( rand time, ' ', scalar gmtime ),
      '<table border="1" width="%100"><tr><td>',
      $cgi->Dump,
      '</td>',
      '<td><div style="white-space: pre-wrap; overflow: scroll;">',
      $cgi->escapeHTML( DD($cgi) ),
      '</div></td></tr></table>',
      CGI->new( \%ENV )->Dump,
      $cgi->end_html;
} ## end sub DebugCGI


sub WashFilename {
    use File::Basename;
    my $basename = basename( shift );
    # untainted , only use a-z A-Z 0-9 and dot
    $basename = join '', $basename =~ m/([.a-zA-Z0-9])/g;
    # basename is now, hopefully, file.ext
    ## so to ensure uniqueness, we adulterate it :)
    my $id = $$.'-'.time;
    my( $file, $ext ) = split /\./, $basename, 2 ;
    return join '.', grep defined, $file, $id, $ext;
} ## end sub WashFilename

sub DD {
    scalar Data::Dumper->new( \@_ )->Indent(1)->Useqq(1)->Dump;
}
[download]

In reply to Re: Perl/CGI Uploading file to the server using a upload hook is failing intermittently by Anonymous Monk
in thread Perl/CGI Uploading file to the server using a upload hook is failing intermittently by prantikd

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


Perl: the Markov chain saw
	PerlMonks