[cgiapp] Problems with uploads

Ron Savage ron at savage.net.au
Thu Jun 24 19:03:37 EDT 2010 

Hi Nicholas

On Thu, 2010-06-24 at 18:12 +0100, Nicholas Bamber wrote:
> I have just had a terrible time getting file uploads to work with 
> CGI::Application. I ended up working with a hacked version of CGI.pm 
> that was writing statements to a local file. I have had to temporarily 
> abandon "test-driven development" in favour of "just get the damn thing 
> working - sort of - development". I have put up a proposal for a better 
> world on perlmonks (http://perlmonks.org/?node_id=846191) but that will 
> have to come in due course.

Yep - we all know the frustration of getting onto the wrong path...

It's especially infuriating for beginners, since they can't be sure it's
their fault or the other persons.

> A lot of my troubles seem to have come from following the "HTML, XHTML, 
> and CSS Bible" by Steven Shafer which recomends a form like this:
> 
> <form action="formhandler.cgi" method="post" enctype="form/multipart">
> <input type="file" id="file" size="10"/> ......
> 
> I was slightly puzzled by the use of an "id" attribute rather than a 
> "name" attribute, when I want to read from this control rather than 
> manipulate it in javascript. I fixed that without spotting any other issues.

There is nothing wrong with the id. I always use name and id, myself,
and make them the same value.

JS code will often require the id, so you should always include it.

> It took me a long time to realize that the browser was sending 
> CONTENT_LENGTH = 13. I could have spotted this with
> CGI::Application::Plugin::DevPopup::HTTPHeaders which I was using, but I 
> did not make the connection until I was actually reading the CGI source. 
> When I removed the size attribute this problem went away.
> 
> The second problem was that the enctype should be "multipart/form-data" 
> not "form/multipart". Fixing that got a CGI::Application file upload 
> working.

That's a nasty bug to publish. And size 10 seems very narrow-minded.

You should be justifiably suspicious of any other code in the book.

> I still need to go on and do stuff with the file and then implement the 
> security checks. I was hoping to use 
> Data::FormValidator::Constraints::Upload but that does not seem very 
> likely just now.
> 
> In the middle of all that I had a look at the CGI.pm bug list. Several 
> appear related to upoads

Most people don't have problems. It's always difficult to know exactly
what set-up the user was using.

> Bug #32135 for CGI.pm: Needs Test: some uploads starts to fail with 
> CGI.pm 3.29
> Bug #56780 for CGI.pm: Windows 7 and CGI.PM undefined upload handle
> Bug #55166 for CGI.pm:
> Bug #53966 for CGI.pm: "CGI open of tmpfile: No such file
> Bug #31107 for CGI.pm: Needs Confirmation: 400 Bad
> 
> and so on. This scared me enough that I looked at CGI::Simple and 
> CGI::Minimal. The former had quite a few upload bugs and I could not get 
> the latter to work anyway. (I went back to CGI and got that working as 
> described above.)

Excellent!

> I then ran Devel::Cover on the CGI.pm code downloaded from github:
> ---------------------------- ------ ------ ------ ------ ------ ------ 
> ------
> File stmt bran cond sub pod time total
> ---------------------------- ------ ------ ------ ------ ------ ------ 
> ------
> blib/lib/CGI.pm 87.8 75.8 71.9 87.5 37.0 88.3 79.8
> blib/lib/CGI/Apache.pm 100.0 n/a n/a 100.0 n/a 0.0 100.0
> blib/lib/CGI/Carp.pm 73.0 60.3 47.8 73.9 0.0 0.8 63.3
> blib/lib/CGI/Cookie.pm 94.0 65.2 50.0 100.0 43.8 1.3 79.2
> blib/lib/CGI/Fast.pm 82.8 66.7 0.0 100.0 0.0 0.1 75.5
> blib/lib/CGI/Pretty.pm 74.3 57.7 66.7 58.3 0.0 1.2 65.9
> blib/lib/CGI/Push.pm 90.7 62.5 41.7 83.3 0.0 1.8 73.1
> blib/lib/CGI/Switch.pm 100.0 n/a n/a 100.0 n/a 0.0 100.0
> blib/lib/CGI/Util.pm 73.8 65.2 46.2 73.3 0.0 6.6 64.0
> Total 85.0 71.3 66.2 84.3 24.0 100.0 76.0
> ---------------------------- ------ ------ ------ ------ ------ ------ 
> ------
> Maybe if we could get the test coverage up, the number of bugs would 
> become more manageable.

But the bug reports /already/ tell us what needs work. If you can figure
out a patch, I'm sure the author of CGI would be delighted to receive
it.

-- 
Ron Savage
http://savage.net.au/
Ph: 0421 920 622

More information about the cgiapp mailing list