Pattern Matching

[jbarkawi]

Hello,

I am uploading a file to my server, and was wondering if anyone could let me know how to include a couple types of files. I located this general peice of code from the FAQ, but cannot seem to get the other file type right. Basically, I want the user to be able to upload text files (.txt), Word files, and PDF's. The code I have is below:

unless ($type =~ /text\/[html|plain]/i)
{
&showError("Dangerous file type of $type.<BR>UPLOAD ABORTED.");
}

Thank you for your time and effort guys.

Joe Barkawi
Software Engineer
Infinite Tiers, Inc.

 

[duncdude]

alternation requires regular braces - not square braces

(either|or)


Kind Regards
Duncan

 

[TrojanWarBlade]

Or if you want to be really careful:

unless ($type =~ /text\/(?:html|plain)/i)

This way, you don't step on any previously captured $1.

Trojan.

 

[KevinADC]

what is $type? is that the actual text of the uploaded file? That will not be as affective in preventing uploads of "dangerous" file types. You will first want to check the MIME type in the header and the file extension I would think. If you use CGI.pm to upload files:

$filename = $query->param('uploaded_file');
$type = $query->uploadInfo($filename)->{'Content-Type'};
   unless ($type eq 'text/html') {
      die "HTML FILES ONLY!";
}

which is right out of the CGI.pm documentation.

You can easily check the file extension using File:Basename

 

[fishiface]

It's easy to write a cgi application that returns misleading headers and extensions. You should probably run File::MMagic over it with the /etc/magic version before you trust an upload. If it really matters, a call to clam won't come amiss.

f

&quot;As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.&quot;
--Maurice Wilkes

 

[KevinADC]

It's easy to write a cgi application that returns misleading headers and extensions.

Very true. It seems we can never be careful enough. I was unaware of the File::MMagic module, looks like it could be handy.

 

[fishiface]

I once had a user log a help-desk call saying that every time someone tried to send him a particular file, the virus checker blocked it. When someone rang to advise, he was told "don't worry - he changed the extension and it came through fine!"

We changed our anti-virus solution that week.

f

&quot;As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.&quot;
--Maurice Wilkes