[cgiapp] Data validation of file uploads

Mark Fuller azfuller at gmail.com
Mon Sep 20 18:11:04 EDT 2010


On Mon, Sep 20, 2010 at 7:08 AM, Nicholas Bamber <nicholas at periapt.co.uk> wrote:
> * Once processing is finished the data is presumably written to a file or a
> database. and the memory can be reclaimed.

Can I ask why you don't want to write the incoming stream to a temp
file the "normal" way?

The only reason I can think of would be security concerns. That it's
highly sensitive data. In that case, it seems like it would be better
to transmit a shared secret to the client through an https connection,
and encrypt the data as it's sent (through javascript?). Or, modify a
copy of cgi.pm or cgi::simple to encrypt the chunked incoming data as
it's written to the temp file.

>From something you said earlier, it sounded like you just want to
untaint the data before it's written to disk. If that's all it is, I
don't understand how untainted data written to a temp directory would
be risky.

Mark


More information about the cgiapp mailing list