cgi.pm upload question

9 views
Skip to first unread message

mcar...@yahoo.com

unread,
Jul 25, 2006, 1:56:18 PM7/25/06
to
Hi

I am writing an upload site for my company using perl with CGI.pm.
Everybody who can upload has a username password stored in a mysql
database and they are authenticated everytime they run a script.

Here is the problem I cant seem to get around. When somebody tries to
upload a file, the authentication subroutine is not run until after the
entire file is uploaded to the server. This has two serious flaws;
number one, a legitimate user may try uploading a large file, but they
are not authenticated and dont find out until after their whole file is
uploaded. The second problem is some jackass can upload huge files to
the server, and although they arent authenticated, and the file will
not be saved on the server, they can grind the server to a halt by
sending multiple large uploads.

Does anybody know of a way to run some subroutines and and possibly
send an error page BEFORE the server tries to take in the entire
upload.

Mike Cardeiro


--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.

HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.thinkspot.net/ciwac/howtopost.html

Gunnar Hjalmarsson

unread,
Jul 25, 2006, 1:27:36 PM7/25/06
to
mcar...@yahoo.com wrote:
> I am writing an upload site for my company using perl with CGI.pm.
> Everybody who can upload has a username password stored in a mysql
> database and they are authenticated everytime they run a script.
>
> Here is the problem I cant seem to get around. When somebody tries to
> upload a file, the authentication subroutine is not run until after the
> entire file is uploaded to the server. This has two serious flaws;
> number one, a legitimate user may try uploading a large file, but they
> are not authenticated and dont find out until after their whole file is
> uploaded. The second problem is some jackass can upload huge files to
> the server, and although they arent authenticated, and the file will
> not be saved on the server, they can grind the server to a halt by
> sending multiple large uploads.
>
> Does anybody know of a way to run some subroutines and and possibly
> send an error page BEFORE the server tries to take in the entire
> upload.

No. It's not possible. The file content is an integrated part of the
request, which needs to be parsed before the authentication can be
accomplished.

One way to reduce the risk for bogus upload requests is to make the
upload form available only to authenticated users. You can also set a
request size limit when configuring the web server.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Reply all
Reply to author
Forward
0 new messages