LC-only 'POST' file upload code?
Richard Gaskin
ambassador at fourthworld.com
Fri May 22 11:40:34 EDT 2015
J. Landman Gay wrote:
> I use that to talk to servers but does that work with files? Don't
> you need credentials or something?
Yes, POST covers the client side. For the server side this tutorial
shows how to extract that incoming data and write it to a file:
<http://lessons.runrev.com/m/4070/l/40708-how-to-upload-a-file-with-livecode-server>
Not covered there are authentication and sanitizing, the specific of
which may depend on the particulars of the application.
Authentication is broad and no one agrees on a "best" way, so I'll leave
that alone. ;)
For sanitizing, any files uploaded in my own apps are designated for
specific folders, so I disallow all "/" in the file name. Without that
it may be possible to write files in the web root, and if what's written
is a PHP file or even an LC file it may contain instructions to allow
control of the server, executable from anywhere on the 'net.
Further sanitizing may be useful depending on where the file data goes
and what will be done with it.
This list of security tips for handling incoming form data may be helpful:
Why File Upload Forms are a Major Security Threat
<https://www.acunetix.com/websitesecurity/upload-forms-threat/>
Cases 4 and 5 there were especially interesting to me, as I learned only
recently about the exposure that can happen with a file named something
like "file.php.123" being interpreted as a PHP file and executed.
--
Richard Gaskin
Fourth World Systems
Software Design and Development for the Desktop, Mobile, and the Web
____________________________________________________________________
Ambassador at FourthWorld.com http://www.FourthWorld.com
More information about the use-livecode
mailing list