John Pretti wrote:
All,
Howdy,
I appreciate all the help with file uploading. I have written a basic script
similar to the file upload sample at perlmonks.com. I have noticed that it
is written very loosely so I am trying to build in additional security. Some
of the things I would like help understanding are as follows:
1. I am using $CGI::POST_MAX=1024 * 100; # max 100K posts to limit the
file upload size. This does work but how can I output a warning to the
user's browser.
2. I would like to learn and understand how to restrict file types,
such as only .doc and .pdf.
3. What is the best way to prevent a user from passing additional
parameters to the script?
Do you mean like you could access via param() ?
You can't keep them from submiting other info if you want but you can avoid using any input without verifying its what you want first, also -T (Taint mode) will be helpfull as it assumes all intou is tainted until you do somethign to untaint it, therefore only input you check and choose to use will be used.
Once I again I thank you all sincerely for your help, I am a total n00b to^^^^^^^^^^^^^^^^
perl and I am having a lot of trouble understanding how it works, just not
clicking at this point. The script is included below for reference.
#!/usr/bin/perl -w
# perlUpload.cgi by John Pretti
# Comments/Questions: john[at]web-connected.com
# Last modified 04/22/04
####### Load Needed Perl Modules ######
use strict;
# Make HTML/FORMS/UPLOADING easy to deal with
use CGI;
# Report errors in the browser
use CGI::Carp 'fatalsToBrowser';
# Limit file size
$CGI::POST_MAX=1024 * 100; # max 100K posts
####### End Perl Module Load ####### # Create new CGI object
my $q = new CGI;
if ( $q->param() ) {
# read filehandle from param and set to binary mode
my $filehandle = $q->param('file');
binmode($filehandle);
# Strip off WINDOZE path crap
$_=$filehandle;
s/.*\\//;
my $filename=$_;
Too many lines, unnecessary change those 3 lines to
$filename =~ s/.*\\//;
Also don't assign vaues to built in variables (IE $_)die "Only pdf files please" if $filename !~ m/\.pdf$/;
# open file for output - change this to suit your needs!!!
open(OUT,">/www/web/htdocs/merlin/upload/$filename") || die $!;
binmode(OUT);
# process $filehandle
{
my $buffer;
my $cur_size = 0;
while ( read($filehandle,$buffer,1024) ) { print OUT $buffer;
$cur_size += 1024; die "Too big" if $cur_size >= $CGI::POST_MAX;
}
}
# close output file
close(OUT);
# show success
print $q->header,
$q->start_html,
$q->p('File uploaded: $filename'),
$q->end_html;
exit(0);
^^^^^^^^ This exit is not needed, your program already flows.
}
else {
# first run, so present form
print $q->header,
$q->start_html,
$q->start_multipart_form,
$q->filefield('file'),
$q->br,
$q->submit('Upload'),
$q->end_form,
$q->end_html;
exit(0);
^^^^^^^^ this is also not needed :)
}
Thanks in advance for your help and patience.
Regards,
John
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
