Re: [OT] uploaded files and multi-paged forms
On Thu, 19 Oct 2000, Alexander Farber (EED) wrote: > How do you handle uploading files when using multi-paged > forms (for example entered text and a picture are previewed > before storing into the database and special directory)? > > Uploaded files can't be passed as hidden fields, right? > So do you let your users to upload the same file several > times and then delete the temporary files with a cron job? Not multiple times, but let them upload and store in a temp file, which you can store the filename as a hidden field. Use File::MkTemp to create the filenames. And delete temp files older than 60 minutes or so periodically. -- /||** Director and CTO ** //||** AxKit.com Ltd ** ** XML Application Serving ** // ||** http://axkit.org ** ** XSLT, XPathScript, XSP ** // \\| // ** Personal Web Site: http://sergeant.org/ ** \\// //\\ // \\
Re: [OT] uploaded files and multi-paged forms
Matt Sergeant wrote: > > On Thu, 19 Oct 2000, Alexander Farber (EED) wrote: > > > How do you handle uploading files when using multi-paged > > forms (for example entered text and a picture are previewed > > before storing into the database and special directory)? > > > > Uploaded files can't be passed as hidden fields, right? > > So do you let your users to upload the same file several > > times and then delete the temporary files with a cron job? > > Not multiple times, but let them upload and store in a temp file, which > you can store the filename as a hidden field. Use File::MkTemp to create > the filenames. And make sure you check its validity, so people can't start probing other parts of your file system. -- Tim Sweetman A L Digital "we will fix it, we will mend it" --- the mice, _Bagpuss_
Re: [OT] uploaded files and multi-paged forms
Matt Sergeant wrote:
> Not multiple times, but let them upload and store in a temp file, which
> you can store the filename as a hidden field. Use File::MkTemp to create
> the filenames.
Thanks for the advice, but doesn't File::MkTemp have a race condition?
The subroutine File::MkTemp::mktemp does following (comments are mine):
$keepgen = 1;
while ($keepgen){
# generate a random file name and put it into $template
if ($dir){
$lookup = File::Spec->catfile($dir, $template);
$keepgen = 0 unless (-e $lookup); # isn't it a race?
}else{
$keepgen = 0;# here it doesn't even check -e
}
next if $keepgen == 0; # also, why this check?
}
return($template);
This looks as a bad quality module to me or am I awfully wrong?
(CC: Travis, please don't take it personally)
Re: [OT] uploaded files and multi-paged forms
On Thu, 19 Oct 2000, Alexander Farber (EED) wrote:
> Matt Sergeant wrote:
> > Not multiple times, but let them upload and store in a temp file, which
> > you can store the filename as a hidden field. Use File::MkTemp to create
> > the filenames.
>
> Thanks for the advice, but doesn't File::MkTemp have a race condition?
> The subroutine File::MkTemp::mktemp does following (comments are mine):
>
>$keepgen = 1;
>
>while ($keepgen){
>
> # generate a random file name and put it into $template
>
> if ($dir){
> $lookup = File::Spec->catfile($dir, $template);
> $keepgen = 0 unless (-e $lookup); # isn't it a race?
> }else{
> $keepgen = 0;# here it doesn't even check -e
> }
>
> next if $keepgen == 0; # also, why this check?
>}
>return($template);
>
> This looks as a bad quality module to me or am I awfully wrong?
Its only insecure if you don't use sysopen($fh, $newname, O_RDWR | O_EXCL
| O_CREAT) (and then get a new filename if that failed 'cos the file
existed).
File::Temp is a slightly more secure alternative, doing the above line for
you.
You should also take an MD5 hash of the contents of the file to ensure
they don't change in the lifetime of the request.
Sorry, but I don't mention these things because they are obvious to me
these days.
--
/||** Director and CTO **
//||** AxKit.com Ltd ** ** XML Application Serving **
// ||** http://axkit.org ** ** XSLT, XPathScript, XSP **
// \\| // ** Personal Web Site: http://sergeant.org/ **
\\//
//\\
// \\
Re: [OT] uploaded files and multi-paged forms
Matt Sergeant wrote: > Its only insecure if you don't use sysopen($fh, $newname, O_RDWR | O_EXCL > | O_CREAT) (and then get a new filename if that failed 'cos the file > existed). Well, then at least the subroutines mkstempt and mkstemp are insecure, since they call (funny, the comment below is by the File::MkTemp-author): $fh = new FileHandle ">$openup"; #and say ahhh.
