Ad:

Perl Discussion Thread
Unsolved
Views: 12357

Feb 5th, 2007

Basic Perl Web Upload Script

Expand Post »

Hi,

I've been reading through some tutorials on creating a basic web upload script with perl and cgi. The problem is that my server keeps throwing an Internal Server Error 500 without giving any feedback. I am hoping that someone has run into a similar problem or there is an obvious problem with my script. Here is the form script on the html document (/var/www/apache2-default/projects/music/music.html):

<FORM ACTION="upload.cgi" METHOD="POST" ENCTYPE="multipart/form-data">

Song to Upload: <INPUT TYPE="file" NAME="song">

<br>

<INPUT TYPE="submit" NAME="Submit" VALUE="Submit Form">

</FORM>

My httpd.conf for Apache2:

<Directory /var/www/apache2-default/projects/music/>

Options FollowSymLinks +ExecCGI

AddHandler cgi-script .cgi

</Directory>

And my actual upload.cgi file:

#!/usr/bin/perl -w



use CGI;

$upload_dir = "/apache2-default/projects/music/upload";



$query = new CGI;



$filename = $query->param("song");

$filename =~ s/.*[\/\\](.*)/$1/;

$upload_filehandle = $query->upload("song");



open(UPLOADFILE, ">$upload_dir/$filename") or die "Can't open '$upload_dir/$filename': $!";

binmode UPLOADFILE;

while ( <$upload_filehandle> )

{

print UPLOADFILE;

}

close UPLOADFILE;

All folders and files have been chmoded to 755 for all user execution. Even so, it seems like the httpd.conf points to the correct directory to allow cgi execution, but there has to be something wrong with the upload.cgi script.

Similar Threads

Writing to an Access Database in Visual Basic 4 / 5 / 6
Please help!!! Upload script.. in PHP
I get the error no file or directory when i try to run a perl script in Perl
Looking for a basic free announcements php script in Configuring Readymade Scripts
Upload/Download Script... with compression? in PHP

JayT

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since Jan 2007

Permalink

Feb 7th, 2007

Re: Basic Perl Web Upload Script

First, it would be highly advisable to start your Perl script like this:

perl Syntax (Toggle Plain Text)
#!/usr/bin/perl -T
 
use strict;
use warnings;
#!/usr/bin/perl -T

use strict;
use warnings;

I know you used warnings with the -w flag already, but adding strict will help with debugging as well. Also, you "MUST" use the -T flag as shown to enable taint mode, or mistakes in your code could turn into gaping security holes. DO NOT leave all your folders and files at the 755 permission setting. Only a CGI script you want to be executable by a HTTP request should have these permissions. All other files should not allow anything else but read permission to "other" or "world" users (i.e. 4 as the last permission digit).

If there is a file called something like "cgierror.log" in the "logs" directory on the server, compile and run time errors may be collected here. You have not validated the user input sufficiently before passing it to open. This

perl Syntax (Toggle Plain Text)
$filename =~ s/.*[\/\\](.*)/$1/;
$filename =~ s/.*[\/\\](.*)/$1/;

means, match some stuff then capture anything any number of times and set $filename to this. This means someone could pass virtually anything into open(FILEHANDLE,....). Including of course ">my_file", which will delete the contents of any file a hacker chooses. Instead try,

perl Syntax (Toggle Plain Text)
my $filename =~ /([^<>]*)/;
$filename = $1;
open(FILEHANDLE, "<", $filename);
my $filename =~ /([^<>]*)/;
$filename = $1;
open(FILEHANDLE, "<", $filename);

The regex will remove any shell meta characters (<>) from the name supplied. I think it's best to use the three parameter form of open shown, as it's safer by not allowing user data to set the open mode. Finally, if it's just a text field you want to gather with your form, put:

HTML Syntax (Toggle Plain Text)
<input type="text" name="song">
<input type="text" name="song">

I don't think type="file" is valid HTML.

Steven.

Mushy-pea

Reputation Points: 47

Solved Threads: 1

Posting Whiz in Training

Offline

271 posts
since Jun 2006

Permalink

Aug 4th, 2009

Re: Basic Perl Web Upload Script

i'm sure 'file' is absolutely valid)

bildja

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since May 2009

Permalink

Aug 4th, 2009

Re: Basic Perl Web Upload Script

Click to Expand / Collapse Quote originally posted by bildja ...

i'm sure 'file' is absolutely valid)

cool, for the last 2 and a half years I've been wondering about that.....

KevinADC

Reputation Points: 246

Solved Threads: 67

Practically a Posting Shark

Offline

898 posts
since Mar 2006

Permalink

Aug 5th, 2009

Re: Basic Perl Web Upload Script

lol)) i didn't pay attention for the post date)

bildja

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since May 2009

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Perl Forum Timeline: Problem with perl DBI ODBC driver (bug or misconfig ?) String data right truncation

Next Thread in Perl Forum Timeline: VSS to SVN

DaniWeb Message

Cancel Changes

User Name
Password