Hi,

I've been reading through some tutorials on creating a basic web upload script with perl and cgi. The problem is that my server keeps throwing an Internal Server Error 500 without giving any feedback. I am hoping that someone has run into a similar problem or there is an obvious problem with my script. Here is the form script on the html document (/var/www/apache2-default/projects/music/music.html):

<FORM ACTION="upload.cgi" METHOD="POST" ENCTYPE="multipart/form-data">
Song to Upload: <INPUT TYPE="file" NAME="song">
<br>
<INPUT TYPE="submit" NAME="Submit" VALUE="Submit Form">
</FORM>

My httpd.conf for Apache2:

<Directory /var/www/apache2-default/projects/music/>
Options FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>

And my actual upload.cgi file:

#!/usr/bin/perl -w

use CGI;
$upload_dir = "/apache2-default/projects/music/upload";

$query = new CGI;

$filename = $query->param("song");
$filename =~ s/.*[\/\\](.*)/$1/;
$upload_filehandle = $query->upload("song");

open(UPLOADFILE, ">$upload_dir/$filename") or die "Can't open '$upload_dir/$filename': $!";
binmode UPLOADFILE;
while ( <$upload_filehandle> )
{
print UPLOADFILE;
}
close UPLOADFILE;

All folders and files have been chmoded to 755 for all user execution. Even so, it seems like the httpd.conf points to the correct directory to allow cgi execution, but there has to be something wrong with the upload.cgi script.

First, it would be highly advisable to start your Perl script like this:

#!/usr/bin/perl -T

use strict;
use warnings;

I know you used warnings with the -w flag already, but adding strict will help with debugging as well. Also, you "MUST" use the -T flag as shown to enable taint mode, or mistakes in your code could turn into gaping security holes. DO NOT leave all your folders and files at the 755 permission setting. Only a CGI script you want to be executable by a HTTP request should have these permissions. All other files should not allow anything else but read permission to "other" or "world" users (i.e. 4 as the last permission digit).

If there is a file called something like "cgierror.log" in the "logs" directory on the server, compile and run time errors may be collected here. You have not validated the user input sufficiently before passing it to open. This

$filename =~ s/.*[\/\\](.*)/$1/;

means, match some stuff then capture anything any number of times and set $filename to this. This means someone could pass virtually anything into open(FILEHANDLE,....). Including of course ">my_file", which will delete the contents of any file a hacker chooses. Instead try,

my $filename =~ /([^<>]*)/;
$filename = $1;
open(FILEHANDLE, "<", $filename);

The regex will remove any shell meta characters (<>) from the name supplied. I think it's best to use the three parameter form of open shown, as it's safer by not allowing user data to set the open mode. Finally, if it's just a text field you want to gather with your form, put:

<input type="text" name="song">

I don't think type="file" is valid HTML.

Steven.

i'm sure 'file' is absolutely valid)

cool, for the last 2 and a half years I've been wondering about that..... :-/

This article has been dead for over six months. Start a new discussion instead.