[Info-vax] HTTP and HTML File Upload Basics
Arne Vajhøj
arne at vajhoej.dk
Tue Oct 20 15:11:34 EDT 2020
On 10/20/2020 3:05 PM, Stephen Hoffman wrote:
> On 2020-10-20 17:32:08 +0000, Phillip Helbig (undress to reply said:
>> Does anyone have a basic DCL script which, when called as a script by
>> the web server, can upload a file from the browser machine to the server
>> machine?
>
> CGI doesn't get used for this. A CGI-based fetch as you're likely
> envisioning here would be routinely blocked network firewalls, among
> other details.
????
I belive he is asking for:
browser---(POST of file)---web server---CGI script---disk file
That is very much possible. And the firewall will most likely not
even know that the target URL is a CGI script.
> And somewhat more advanced, do not allow the user to provide a filename,
> and do not allow execute access within the upload directories.
> Particularly beware polyglot files; files an incautious user might think
> harmless can be executables.
>
> https://security.stackexchange.com/questions/116819/beside-gifar-are-there-any-other-known-polyglot-files
>
> Open and insecure uploads can be quickly filled with warz and worse,
> particularly if a remote user can then download the content.
Yes - there are some security risks.
Uploading to a directory not served by the web server and use a download
script to get it may be a good thing.
Arne
More information about the Info-vax
mailing list