[Info-vax] HTTP and HTML File Upload Basics

Arne Vajhøj arne at vajhoej.dk
Tue Oct 20 15:11:34 EDT 2020


On 10/20/2020 3:05 PM, Stephen Hoffman wrote:
> On 2020-10-20 17:32:08 +0000, Phillip Helbig (undress to reply said:
>> Does anyone have a basic DCL script which, when called as a script by 
>> the web server, can upload a file from the browser machine to the server
>> machine?
> 
> CGI doesn't get used for this. A CGI-based fetch as you're likely 
> envisioning here would be routinely blocked network firewalls, among 
> other details.

????

I belive he is asking for:

browser---(POST of file)---web server---CGI script---disk file

That is very much possible. And the firewall will most likely not
even know that the target URL is a CGI script.

> And somewhat more advanced, do not allow the user to provide a filename, 
> and do not allow execute access within the upload directories. 
> Particularly beware polyglot files; files an incautious user might think 
> harmless can be executables.
> 
> https://security.stackexchange.com/questions/116819/beside-gifar-are-there-any-other-known-polyglot-files 
> 
> Open and insecure uploads can be quickly filled with warz and worse, 
> particularly if a remote user can then download the content.

Yes - there are some security risks.

Uploading to a directory not served by the web server and use a download
script to get it may be a good thing.

Arne






More information about the Info-vax mailing list