 Kelicula  176
Recognized Expert New Member
I am trying to ensure that only files of a certain type can be uploaded.
Why doesn't this work??
(It's a code snippet..not the whole file) -
-
-
if(my $file = $q->param('avatar')){
-
-
$CGI::POST_MAX = 1024 * 39; # Limit to 39 kb.
-
-
my $dir = '../img/avatars';
-
my $charsok = 'a-zA-Z0-9_.-';
-
my ($filename,undef,$ext) = fileparse($file,qr{\..*});
-
-
if($ext !~ /jpeg|gif|png/gi){
-
$emess .= qq* <li>That is an invalid file, avatars MUST be in "jpeg", "gif" or "png" format.</li> *;
-
}
-
else{
-
-
$filename .= $ext;
-
$filename =~ tr/ /_/;
-
$filename =~ s/[^$charsok]//g;
-
-
if($filename =~ /^([$charsok]+)$/){
-
$filename = $1;
-
-
-
my $upload_file = $q->upload('avatar');
-
-
open(FILE, ">$dir/$filename") || Tools->listErr( $! );
-
binmode FILE;
-
-
while (<$upload_file>){
-
print FILE;
-
}
-
-
close(FILE);
-
-
$sth = $dbh->prepare(qq~ UPDATE users SET avatar=? WHERE id=? ~);
-
$sth->execute( "$dir/$filename", $user->{id}) || Tools->listErr( $sth->errstr );
-
$sth->finish;
-
}
-
else{
-
$emess .= "<li>Filename not valid, may only contain these characters: $charsok</li>";
-
}
-
}
-
}
-
Anyone know why the $ext variable isn't matching?
I can upload a .exe and it won't skip a beat....
NOT good.
12 2674  KevinADC 4,059
Recognized Expert Specialist
looks like it should work -
use warnings;
-
use File::Basename;
-
foreach my $file qw(path/to/foo.exe path/to/foo.jpg) {
-
my ($filename,$dir,$ext) = fileparse($file,qr{\..*});
-
print "$filename,$dir,$ext\n";
-
if($ext !~ /jpeg|gif|png/gi){
-
print qq* That is an invalid file, avatars MUST be in "jpeg", "gif" or "png" format.*;
-
}
-
else {
-
print " It's good $ext\n";
-
}
-
}
-
I'd tighten up the regexp but it should work the way you have it.
Kelicula 176
Recognized Expert New Member
looks like it should work
-
use warnings;
-
use File::Basename;
-
foreach my $file qw(path/to/foo.exe path/to/foo.jpg) {
-
my ($filename,$dir,$ext) = fileparse($file,qr{\..*});
-
print "$filename,$dir,$ext\n";
-
if($ext !~ /jpeg|gif|png/gi){
-
print qq* That is an invalid file, avatars MUST be in "jpeg", "gif" or "png" format.*;
-
}
-
else {
-
print " It's good $ext\n";
-
}
-
}
-
I'd tighten up the regexp but it should work the way you have it.
Ah Ha!
It was working, the problem was that I was trying to create the error message before the uploading occurred. So the error was being created after the upload...
I never waited long enough!!
silly me....
Guess I'll have to deploy some 'ole javascript.
PS- Kevin (ADC) any ideas, on tightening the regex?
eWish 971
Recognized Expert Contributor
I would also like to see what KevinADC offers, but I feel like this is fairly tight and just not sure on the efficiency of it though. -
if (not $ext =~ /^\.?(?i:jpe?g|gif|png)$/) {
-
--Kevin
 KevinADC 4,059
Recognized Expert Specialist
I would also like to see what KevinADC offers, but I feel like this is fairly tight and just not sure on the efficiency of it though.
-
if (not $ext =~ /^\.?(?i:jpe?g|gif|png)$/) {
-
--Kevin
That is pretty much just what I was going to suggest: - if ($ext !~ /^ \.jpe?g | \.gif | \.png $/iox) {
the dot might be optional at the beginning of some file extensions but I prefer to force that it is required instead of being optional.
It is also important to note that this does not stop people from uploading an .exe file renamed to .txt (for example) or maybe worse yet an .htaccess file. So if you allow users to rename files after uploading them make sure that any rename/move/copy routine also checks that users can't rename files with any illegal file extension. I have seen this in many scripts, they only check when a file is uploaded and never again to make sure the user isn't trying to do something dangerous or malicious.
There is a module File::Type (as well as others) that can be used to further check the type of file the user is uploading. But I noted a while back that the one review of the module calls into question some inefficiency issues so you may want to read the review on CPAN and see if you think it's worths implementing or not.
You can also use the uploadInfo method of the CGI module: - my $type = $query->uploadInfo($filename)->{'Content-Type'};
See the CGI documentation for details.
Also, you should be using Taint mode and untainting any filenames the user attempts to upload. All CGI scripts should operate in Taint mode.
Kelicula 176
Recognized Expert New Member
That is pretty much just what I was going to suggest:
- if ($ext !~ /^ \.jpe?g | \.gif | \.png $/iox) {
the dot might be optional at the beginning of some file extensions but I prefer to force that it is required instead of being optional.
It is also important to note that this does not stop people from uploading an .exe file renamed to .txt (for example) or maybe worse yet an .htaccess file. So if you allow users to rename files after uploading them make sure that any rename/move/copy routine also checks that users can't rename files with any illegal file extension. I have seen this in many scripts, they only check when a file is uploaded and never again to make sure the user isn't trying to do something dangerous or malicious.
There is a module File::Type (as well as others) that can be used to further check the type of file the user is uploading. But I noted a while back that the one review of the module calls into question some inefficiency issues so you may want to read the review on CPAN and see if you think it's worths implementing or not.
You can also use the uploadInfo method of the CGI module:
- my $type = $query->uploadInfo($filename)->{'Content-Type'};
See the CGI documentation for details.
Also, you should be using Taint mode and untainting any filenames the user attempts to upload. All CGI scripts should operate in Taint mode.
Thanks guys for the quick replies!!
Yes absolutely, I AM in Taint mode.
But for this check I don't need to backtrack, so I have come up with this: -
#!/usr/bin/perl -Tw
-
use strict;
-
-
if($ext !~ /\.+(?:jpeg|jpg|gif|png)/xoi){
-
$emess .= qq*<li>That is an invalid file, avatars MUST be in "jpeg", "gif" or "png" format.</li>*;
-
}
-
-
-
# Then later...
-
-
if($filename =~ /^([$charsok]+)$/){
-
$filename = $1;
-
}
-
Using $1 as KevinADC recommends in his tutorial, allowing perl to untaint $filehandle.
I am NOT going to allow users to rename the files. They can either upload a new avatar, or keep this one, but they don't get a choice as to where it gets stored or even the name of it. Just as long as That same picture come up when they log-in they should be happy.
Lot's of good tips though.
I'll check out that File::type mod.
As well as, the "Uploadinfo" method.
Happy coding!
eWish 971
Recognized Expert Contributor
I would include the ^ and $ to your regex and not allow more than one . (dot) else things like this will still make it past your check point. -
.....jpegggy
-
.giftsarecool
-
.pngreen
-
--Kevin
Plater 7,872
Recognized Expert Expert
Be sure to watch out for MAC users and their * being a valid character.
I and my foolish code "lost" a directory on my unix server do to that once...
Kelicula 176
Recognized Expert New Member
I would include the ^ and $ to your regex and not allow more than one . (dot) else things like this will still make it past your check point.
-
.....jpegggy
-
.giftsarecool
-
.pngreen
-
--Kevin
Ah HA!!
Yes I incorrectly chose "x" at the end of the matching separator. When I meant "\z", or "$" within it. I DO want it to match a end of string.
Also, I had thought of the dot, and somehow thought that if they had a dot in the name of the file, only allowing one dot would NDTRT. So I decided that having a dot in part of the file name is not so bad.
After all if you want to name your file "hello..." .gif, that's ok with me, I'm only concerned with the "extension".
so I guess it should be... -
#
-
if($ext !~ /\.(?:jpeg|jpg|gif|png)\z/oi){
-
-
Thanks! eWish..
eWish 971
Recognized Expert Contributor
So lets take the hypothetically situation that may never arise, but it is still valid. Say the user uploads a file like this c:/path/to/some.example.image.jpg. File::Basename would capture the file extension as ".example.image.jpg". Then when you check the extension it will still pass. If you have the anchors at the start and end of the string then you would eliminate this.
The reason I mention this is because if you are going to store these in the database eventually this could cause you problems down the road.
--Kevin
Kelicula 176
Recognized Expert New Member
So lets take the hypothetically situation that may never arise, but it is still valid. Say the user uploads a file like this c:/path/to/some.example.image.jpg. File::Base name would capture the file extension as ".example.image.jpg". Then when you check the extension it will still pass. If you have the anchors to the from and end of the string you would eliminate this.
The reason I mention this is because if you are going to store these in the database eventually this could cause you problems down the road.
--Kevin
Humm...
OK, so should it be; -
-
if($ext !~ /^\w*\.(?:jpeg|jpg|gif|png)$/oi)
-
-
Seems to work for me in this test.. -
foreach my $e qw(/path/too/foo.jpeg /path/too/foo.exe /peth/too/foo.gif.gif /path/to/foo...gif){
-
my ($filename,undef,$ext) = fileparse($e,qr{\..*});
-
print $ext."\n";
-
if($ext !~ /^\w*\.(?:jpeg|jpg|gif|png)$/oi){
-
print qq*<li>That is an invalid file, avatars MUST be in "jpeg", "gif" or "png" format.</li>\n\n*;
-
}else{
-
print "OK\n\n";
-
}
-
}
-
-
With only .jpeg going through...
eWish 971
Recognized Expert Contributor
Since you are checking the extension once File::Basename has done it's job you could use the regex either of the regexs that Kevin and myself suggested. They would eliminate the other problems. Also, it would help to prevent a user from using (.) in the filename and make the user use underscores as well.
Any of these should work. - if ($ext !~ /^ \.jpe?g | \.gif | \.png $/iox) {
-
# OR
-
if ($ext !~ /^\.?(?i:jpe?g|gif|png)$/) {
-
# OR
-
if($ext !~ /^\.(?:jpeg|jpg|gif|png)\z/oi){
This way the extension can only consist of a dot followed by j,p,e,g or j,p,g and so on.
--Kevin
Kelicula 176
Recognized Expert New Member
Since you are checking the extension once File::Basename has done it's job you could use the regex either of the regexs that Kevin and myself suggested. They would eliminate the other problems. Also, it would help to prevent a user from using (.) in the filename and make the user use underscores as well.
Any of these should work.
- if ($ext !~ /^ \.jpe?g | \.gif | \.png $/iox) {
-
# OR
-
if ($ext !~ /^\.?(?i:jpe?g|gif|png)$/) {
-
# OR
-
if($ext !~ /^\.(?:jpeg|jpg|gif|png)\z/oi){
This way the extension can only consist of a dot followed by j,p,e,g or j,p,g and so on.
--Kevin
OK, so for the forum purposes I settled on this; -
if($ext !~ /^\.(?:jpe?g|gif|png)$/oi){
-
$emess .= qq{<li>That is an invalid file, avatars MUST be in "jpeg", "gif" or "png" format.</li>};
-
}
-
Also changed the "*" character to a simple {.
Thanks guys!!
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Tongu? Yumruk |
last post by:
I have a little proposal about type checking in python. I'll be glad
if you read and comment on it. Sorry for my bad english (I'm not a
native English speaker)
A Little Stricter Typing in Python...
|
by: Web Developer |
last post by:
Hi,
I come across the term "type checking" very often in my readings on C++, and
have never heard it in Java. Besides the simplistic answer that it checks
the "type", what more does it mean?
...
|
by: Steven T. Hatton |
last post by:
Some people have suggested the desire for code completion and refined
edit-time error detection are an indication of incompetence on the part of
the programmer who wants such features. ...
|
by: Frances Del Rio |
last post by:
if (parent.frames.main.location == 'mediaselect.html') {
I have a very simple frameset, name of frame where I'm checking is
'main'... why is this not working? I mean this is correct syntax,...
|
by: mike |
last post by:
I had a form like below that validated that a file was there before it
would submit.
<form name="attach" method="POST" action="run_this_pgm.cfm"
enctype="multipart/form-data"...
| | |
by: MT |
last post by:
Hi,
I am currently validating an XML file against a Schema using
XMLValidatingReader. The schema actually contains ranges for particular
elements and I have been using it to detect range errors...
|
by: RoSsIaCrIiLoIA |
last post by:
Do you know how to write a self-checking program in standard C?
Do I can think that if I write in a file.c
static g="1234567";
in the file.exe (or file) there is in some place...
|
by: gryffin |
last post by:
im trying to do file extension checking but its not working :(
i have the following in the head
<script language="JavaScript">
extArray = new Array(".jpg", ".png", ".bmp");
function...
|
by: Joe Strout |
last post by:
On Nov 12, 2008, at 10:45 AM, Tim Rowe wrote:
Because if I write a method with the intention of treating the
arguments like strings in various ways (slicing, combining with other
strings,...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
