Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#81808 - 18/03/2002 07:50 Perl upload script
Nosferatu
enthusiast

Registered: 24/08/2001
Posts: 344
Loc: France, Champagne
I have to upload a file from the user in a Perl Script.

In fact it is a image file (.jpg) that upload the file to server via an HTML interface.

Does someone know where I could find ideas or scri^pts to do the job ?


_________________________
Empeg IIa - 10 Gb - Red Fascia - Tuner, the day is coming - I Will Strike From the Grey -

Top
#81809 - 18/03/2002 08:04 Re: Perl upload script [Re: Nosferatu]
genixia
Carpal Tunnel

Registered: 08/02/2002
Posts: 3411
BIG FAT SECURITY WARNING.

Do not write this code yourself, and be sure that any script you do use sanity checks the names of the files, and is clever with passing the filename to the saving function. In addition, the script should be owned and run by a limited user, definately not root.

Otherwise you could end up with some loser uploading "myfakejpg.jpg;rm -rf *".....not a pretty sight.

Here is a good place to start looking.
_________________________
Mk2a 60GB Blue. Serial 030102962 sig.mp3: File Format not Valid.

Top
#81810 - 18/03/2002 08:16 Re: Perl upload script [Re: genixia]
Nosferatu
enthusiast

Registered: 24/08/2001
Posts: 344
Loc: France, Champagne
This is not for an Internet Site but here at office for an Intranet Server.

Access to this script will be only enabled for a limited persons group.

There is no 'hacker user' at my office.


Thanks a lot !!!
_________________________
Empeg IIa - 10 Gb - Red Fascia - Tuner, the day is coming - I Will Strike From the Grey -

Top
#81811 - 18/03/2002 09:04 Re: Perl upload script [Re: Nosferatu]
fvgestel
old hand

Registered: 12/08/2000
Posts: 702
Loc: Netherlands
try : "perldoc CGI" on a unix machine. It contains examples of file-upload scripts
_________________________
Frank van Gestel

Top
#81812 - 18/03/2002 09:06 Re: Perl upload script [Re: fvgestel]
Nosferatu
enthusiast

Registered: 24/08/2001
Posts: 344
Loc: France, Champagne
He Frank youre there !!!!


Thanks I forgot this basic way to use Perl.


_________________________
Empeg IIa - 10 Gb - Red Fascia - Tuner, the day is coming - I Will Strike From the Grey -

Top
#81813 - 18/03/2002 10:25 Re: Perl upload script [Re: Nosferatu]
genixia
Carpal Tunnel

Registered: 08/02/2002
Posts: 3411
Ok...

Just be aware that an estimated 70% of all attacks are by insiders!
_________________________
Mk2a 60GB Blue. Serial 030102962 sig.mp3: File Format not Valid.

Top
#81814 - 18/03/2002 15:45 Re: Perl upload script [Re: genixia]
redbutt2
member

Registered: 12/01/2002
Posts: 141
Loc: San Diego, CA
Yeah...this is really dangerous. I highly recommend using a file size limit AND a severe set of regex's to enforce a "legal" (meaning you define what is legal) filename.

It's really easy to implement from the link that was already provided, just be careful.
_________________________
We need a bigger boat.

Top
#81815 - 18/03/2002 16:21 Re: Perl upload script [Re: redbutt2]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
It is far easier and safer to just not use the name of the file that the user supplied to store the uploaded file under. Generate a unique ID for each file uploaded, store the file on the file system under this name and put the name the user had control over into a database. Then you can still display the name the user uploaded where neccessary, but don't have to trust that there was nothing nasty in it.

Much easier (don't have to spend forever with regexs working out what is "legal") and far safer (when your regex missed something subtle).
_________________________
Remind me to change my signature to something more interesting someday

Top
#81816 - 19/03/2002 14:27 Re: Perl upload script [Re: andy]
Nosferatu
enthusiast

Registered: 24/08/2001
Posts: 344
Loc: France, Champagne
My project is to only upload image files.

That's it.

_________________________
Empeg IIa - 10 Gb - Red Fascia - Tuner, the day is coming - I Will Strike From the Grey -

Top
#81817 - 19/03/2002 14:34 Re: Perl upload script [Re: Nosferatu]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
What difference does that make ? It is the danger of trusting the file name that the user is sending you that we are discussing, not the contents of the file.
_________________________
Remind me to change my signature to something more interesting someday

Top
#81818 - 19/03/2002 14:57 Re: Perl upload script [Re: andy]
Nosferatu
enthusiast

Registered: 24/08/2001
Posts: 344
Loc: France, Champagne
I said there is no hacker user at my Job.
_________________________
Empeg IIa - 10 Gb - Red Fascia - Tuner, the day is coming - I Will Strike From the Grey -

Top
#81819 - 19/03/2002 15:06 Re: Perl upload script [Re: Nosferatu]
Nosferatu
enthusiast

Registered: 24/08/2001
Posts: 344
Loc: France, Champagne
The script I am writing wil doo :

have the image file on the server

put it in a predefined directory that is the date of the day (/rootwbserver/infos/10032002)

give the uploaded image file the name of some datas given by the user (me).




For this question, I found on the W3c site standard called RDF and some tools to include data in a picture file and have it treated via XML.

Here is the link I will inspired :

DESCRIBING PHOTOS

this is exactly waht I want to do ....
_________________________
Empeg IIa - 10 Gb - Red Fascia - Tuner, the day is coming - I Will Strike From the Grey -

Top
#81820 - 19/03/2002 15:06 Re: Perl upload script [Re: Nosferatu]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
That's fair enough, but I think we had moved on to a more general discussion on the issues involved in accepting a file name from a user. I was just pointing out that the fact that the files you were uploading were images made no difference to the general security issue involved. As you trust all you users this obviously won't be a problem anyway.
_________________________
Remind me to change my signature to something more interesting someday

Top