I have to upload a file from the user in a Perl Script.

In fact it is a image file (.jpg) that upload the file to server via an HTML interface.

Does someone know where I could find ideas or scri^pts to do the job ?

BIG FAT SECURITY WARNING.

Do not write this code yourself, and be sure that any script you do use sanity checks the names of the files, and is clever with passing the filename to the saving function. In addition, the script should be owned and run by a limited user, definately not root.

Otherwise you could end up with some loser uploading "myfakejpg.jpg;rm -rf *".....not a pretty sight.

Here is a good place to start looking.

This is not for an Internet Site but here at office for an Intranet Server.

Access to this script will be only enabled for a limited persons group.

There is no 'hacker user' at my office.


Thanks a lot !!!

try : "perldoc CGI" on a unix machine. It contains examples of file-upload scripts

He Frank youre there !!!!


Thanks I forgot this basic way to use Perl.

Ok...

Just be aware that an estimated 70% of all attacks are by insiders!

Yeah...this is really dangerous. I highly recommend using a file size limit AND a severe set of regex's to enforce a "legal" (meaning you define what is legal) filename.

It's really easy to implement from the link that was already provided, just be careful.

It is far easier and safer to just not use the name of the file that the user supplied to store the uploaded file under. Generate a unique ID for each file uploaded, store the file on the file system under this name and put the name the user had control over into a database. Then you can still display the name the user uploaded where neccessary, but don't have to trust that there was nothing nasty in it.

Much easier (don't have to spend forever with regexs working out what is "legal") and far safer (when your regex missed something subtle).

My project is to only upload image files.

That's it.

What difference does that make ? It is the danger of trusting the file name that the user is sending you that we are discussing, not the contents of the file.

I said there is no hacker user at my Job.

The script I am writing wil doo :

have the image file on the server

put it in a predefined directory that is the date of the day (/rootwbserver/infos/10032002)

give the uploaded image file the name of some datas given by the user (me).




For this question, I found on the W3c site standard called RDF and some tools to include data in a picture file and have it treated via XML.

Here is the link I will inspired :

DESCRIBING PHOTOS

this is exactly waht I want to do ....

That's fair enough, but I think we had moved on to a more general discussion on the issues involved in accepting a file name from a user. I was just pointing out that the fact that the files you were uploading were images made no difference to the general security issue involved. As you trust all you users this obviously won't be a problem anyway.