Typically, monks will warn new programmers that they must use strict. This pragma is useful, but if you just don't understand programming, it's a false sense of security. Today, I'm working on some code another (ex) employee wrote. The code allows a user to fill out a form, use an attachment, and email the data to one of our users. How many problems can you find? Here's a blindingly obvious hint on one of them: the programmer never told the admin about the directory he was saving files to.
my $outputFile; if( $_file_name !~ /^(\s*)$/ ) { use constant BUFFER_SIZE => 16_384; # Amount of upload file t +o read at one time use constant MAX_FILE_SIZE => 3_145_728; # This is the filesize up +load limit $CGI::DISABLE_UPLOADS = 0; # Temporarily reenable up +loads $CGI::POST_MAX = MAX_FILE_SIZE; # Path and Filename my $file_name = $_file_name; my $file_type = $query->uploadInfo($file_name)->{'Content-Type'}; my $basename = basename($file_name); if( $file_type =~ /octet-stream/ ) { $errors{ 'file_type' } = ["","","Unrecognize your submitted re +sume file format."]; goto Print; } $outputFile = $UPLOAD_RESUME_DIRECTORY . $basename ; my $buffer = ""; open(OUTPUT,">>$outputFile"); my @stats; # Need binmode or Win32 systems will convert end-of-line chars binmode OUTPUT; { no strict 'refs'; READ_FILE: while ( read( $file_name, $buffer, BUFFER_SIZE ) ) +{ print OUTPUT $buffer; @stats = stat $outputFile; last READ_FILE if ( $stats[7] > MAX_FILE_SIZE ) } } close(OUTPUT); #check the file size if ( $stats[7] > MAX_FILE_SIZE || %errors ) { $errors{'file_size'} = ["","","Your submitted file's size is o +ver 3MB."]; unlink $outputFile;
I'll post my observations later. Be careful, there are some subtle bugs here.
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
Back to
Meditations