 |  |  |  |  |  |  |  |
Basic Perl Web Upload Script
 |
Hi,
I've been reading through some tutorials on creating a basic web upload script with perl and cgi. The problem is that my server keeps throwing an Internal Server Error 500 without giving any feedback. I am hoping that someone has run into a similar problem or there is an obvious problem with my script. Here is the form script on the html document (/var/www/apache2-default/projects/music/music.html):
My httpd.conf for Apache2:
And my actual upload.cgi file:
All folders and files have been chmoded to 755 for all user execution. Even so, it seems like the httpd.conf points to the correct directory to allow cgi execution, but there has to be something wrong with the upload.cgi script.
I've been reading through some tutorials on creating a basic web upload script with perl and cgi. The problem is that my server keeps throwing an Internal Server Error 500 without giving any feedback. I am hoping that someone has run into a similar problem or there is an obvious problem with my script. Here is the form script on the html document (/var/www/apache2-default/projects/music/music.html):
<FORM ACTION="upload.cgi" METHOD="POST" ENCTYPE="multipart/form-data">
Song to Upload: <INPUT TYPE="file" NAME="song">
<br>
<INPUT TYPE="submit" NAME="Submit" VALUE="Submit Form">
</FORM>
My httpd.conf for Apache2:
<Directory /var/www/apache2-default/projects/music/>
Options FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>And my actual upload.cgi file:
#!/usr/bin/perl -w
use CGI;
$upload_dir = "/apache2-default/projects/music/upload";
$query = new CGI;
$filename = $query->param("song");
$filename =~ s/.*[\/\\](.*)/$1/;
$upload_filehandle = $query->upload("song");
open(UPLOADFILE, ">$upload_dir/$filename") or die "Can't open '$upload_dir/$filename': $!";
binmode UPLOADFILE;
while ( <$upload_filehandle> )
{
print UPLOADFILE;
}
close UPLOADFILE;
All folders and files have been chmoded to 755 for all user execution. Even so, it seems like the httpd.conf points to the correct directory to allow cgi execution, but there has to be something wrong with the upload.cgi script.
•
•
Join Date: Jun 2006
Posts: 263
Reputation: 
Solved Threads: 1
Posting Whiz in Training
First, it would be highly advisable to start your Perl script like this:
I know you used warnings with the -w flag already, but adding strict will help with debugging as well. Also, you "MUST" use the -T flag as shown to enable taint mode, or mistakes in your code could turn into gaping security holes. DO NOT leave all your folders and files at the 755 permission setting. Only a CGI script you want to be executable by a HTTP request should have these permissions. All other files should not allow anything else but read permission to "other" or "world" users (i.e. 4 as the last permission digit).
If there is a file called something like "cgierror.log" in the "logs" directory on the server, compile and run time errors may be collected here. You have not validated the user input sufficiently before passing it to open. This
means, match some stuff then capture anything any number of times and set $filename to this. This means someone could pass virtually anything into open(FILEHANDLE,....). Including of course ">my_file", which will delete the contents of any file a hacker chooses. Instead try,
The regex will remove any shell meta characters (<>) from the name supplied. I think it's best to use the three parameter form of open shown, as it's safer by not allowing user data to set the open mode. Finally, if it's just a text field you want to gather with your form, put:
I don't think type="file" is valid HTML.
Steven.
perl Syntax (Toggle Plain Text)
I know you used warnings with the -w flag already, but adding strict will help with debugging as well. Also, you "MUST" use the -T flag as shown to enable taint mode, or mistakes in your code could turn into gaping security holes. DO NOT leave all your folders and files at the 755 permission setting. Only a CGI script you want to be executable by a HTTP request should have these permissions. All other files should not allow anything else but read permission to "other" or "world" users (i.e. 4 as the last permission digit).
If there is a file called something like "cgierror.log" in the "logs" directory on the server, compile and run time errors may be collected here. You have not validated the user input sufficiently before passing it to open. This
perl Syntax (Toggle Plain Text)
means, match some stuff then capture anything any number of times and set $filename to this. This means someone could pass virtually anything into open(FILEHANDLE,....). Including of course ">my_file", which will delete the contents of any file a hacker chooses. Instead try,
perl Syntax (Toggle Plain Text)
The regex will remove any shell meta characters (<>) from the name supplied. I think it's best to use the three parameter form of open shown, as it's safer by not allowing user data to set the open mode. Finally, if it's just a text field you want to gather with your form, put:
HTML Syntax (Toggle Plain Text)
I don't think type="file" is valid HTML.
Steven.
The one question you should not ask when teaching a new language structure is "Do you understand?". Do you understand?
|
Similar Threads
- Writing to an Access Database (Visual Basic 4 / 5 / 6)
- Please help!!! Upload script.. (PHP)
- I get the error no file or directory when i try to run a perl script (Perl)
- Looking for a basic free announcements php script (Existing Scripts)
- Upload/Download Script... with compression? (PHP)
- i get an error while trying to run perl on win98 (Perl)
Other Threads in the Perl Forum
- Previous Thread: Problem with perl DBI ODBC driver (bug or misconfig ?) String data right truncation
- Next Thread: VSS to SVN
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Perl Posts
- Today's Posts
- Unanswered Threads
