Pedro wrote:
>Hi all, I am working on a cgi script that can create a temporal file
>with either an uploaded file, or, in its absence, the pasted content of
>tha
Well, I spent sometime to learn this upload example:
Here is the solution I came up with.
There were 2 problems as far as I could tell:
1. The $fh variable was set wrong
2. $in needed to be untainted (I just copied the generic perlsec
untaint routine, so you may be able to make a better one)
#!/usr/sbin/perl -wT
use CGI;
use strict;
use Fcntl qw( :DEFAULT :flock);
#define file paths for file writes and genscan location
my $bin="/usr1/par/bin";
my $httproot = "/usr/freeware/apache/share/htdocs/MIF/icons/";
my $dir = "/tmp/"; #directory for writing files
my $gnuplot = "/usr/freeware/bin/gnuplot";
my $ppmtogif = "/usr/freeware/bin/ppmtogif";
my $q = new CGI;
print $q->header, $q->start_html(-title=>"Variability
Results",-bgcolor=>"white");
print $q->h1("Variability Results");
my $in = $q->param("name");
my $file = $q->param("file");
##############################################
#my $fh = $q->upload( $file ); #Error here
my $fh = $file ; #Should be this
##############################################
my $paste = $q->param("alignment");
my $i;
my $flen;
my $var = $^T;
$in =~ s/\s\t//g;
$in = $in.$var;
##################################################
# Here is my "shady" but working untaint mechanism
if ($in =~ /^([-\@\w.]+)$/){$in= $1;}
###################################################
if (!$file) {
open(INFILE, ">$dir/$in") || die "I cannot create $in!\n";
flock(INFILE, 2);
print INFILE "$paste";
close (INFILE) || die "can't close $dir/$in!";
} else {
open(UPLOAD,">$dir/$in") or die "Can't open outfile for writing: $!";
$flen = 0;
while (read($fh,$i,1024)) {
print UPLOAD $i;
$flen = $flen + 1024;
if ($flen > 5120000) {
close(UPLOAD);
die "Error - file is too large. Save aborted.<p>";
}
}
close(UPLOAD);
}
$q->end_html;
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
