Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: File Upload Security Question

by plaid (Chaplain)
on Jun 11, 2000 at 01:03 UTC ( #17536=note: print w/replies, xml ) Need Help??


in reply to File Upload Security Question

A few thoughts:

The $file variable which is the second parameter being passed in never gets used anywhere. I don't know if this is because the part of the code using it has been stripped out though.

The $data variable, third parameter passed in, just gets overwritten in the while loop. Again, maybe something important has been stripped from the code that I'm missing.

I don't see how $filename is a symbolic reference. A symbolic reference only occurs when you're using one variable's value to get the name for another variable. The code worked fine for me without the 'no strict' lines.

The danger in this code lies in the open call. open allows some powerful constructs in it, such as piping output to another program, redirecting output, etc. Take a look at perlsec for a detailed description.

Replies are listed 'Best First'.
RE: Re: File Upload Security Question
by Ovid (Cardinal) on Jun 11, 2000 at 01:16 UTC
    The issues with the $file and $data variables that you pointed out were caused by my stripping this down to a minimal test case and overlooking them.

    You mentioned that you had no problem using the code without the "no strict" lines. Were you using this to upload a file from a Web page and using CGI.pm? That's where I seem to get the symbolic reference problem.

    I'll take a closer look at the perlsec doc and see if it addresses the problem. Thanks.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://17536]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (3)
As of 2022-01-20 06:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (56 votes). Check out past polls.

    Notices?