开发者

Should I sanitize file upload input field in my Perl CGI HTML form?

问答 作者:

I understand the need to sanitize inputs from a HTML form, but when I sanitized the file upload field in a recent module of mine, the file upload started failing. It's important to sanitize all form inputs, right? Even the special file upload field?

My form output code looks something like this:

use CGI;
my $cgi = new CGI;
print $cgi->header();
# ... print some HTML here
print $cgi->start_form();
print $cgi->filefield(-name=>'开发者_如何学Pythonuploaded_file',
                      -size=>50,
                      -maxlength=>80);
print $cgi->submit(-name=>'continue',
                   -value=>'Continue');
print $cgi->end_form();
# ... print some more HTML here

And my sanitization code looks something like this (it's actually earlier in the same module as above):

use HTML::Entities
my $OK_CHARS => 'a-zA-Z0-9 .,-_';
foreach my $param_name ( $cgi->param() ) {
    my $original_content = $cgi->param($param_name);
    my $replaced_content = HTML::Entities::decode( $original_content );
    $replaced_content =~ s/[^$OK_CHARS]//go;
    $cgi->param( $param_name, $replaced_content );
}

When I added the sanitization code recently, the file upload started failing. The filehandle is returning undefined now in this line:

my $uploadedFilehandle = $cgi->upload('uploaded_file');

So did I do something wrong in the sanitization code? I got that code snippet from the Internet somewhere, so I don't completely understand it all. I've never seen an 'o' regex modifier before and I've never used the HTML::Entities module before.

Entities are not encoded in file uploads' content. Sanitizing a file upload is not the same as sanitizing a text field. With a file upload you check the extension and possibly the format and encoding (by attempting to open it using particular decoder, etc.) and ensure that the file is not overly large.

In your code, you are in fact attempting to perform string operations on a file handle when you hit the file field.

No, you should not. See the CGI.pm docs on how to process an upload field:

To be safe, use the upload() function (new in version 2.47). When called with the name of an upload field, upload() returns a filehandle-like object, or undef if the parameter is not a valid filehandle. ...

继续阅读:cgifile-uploadperlsanitization

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9