LC-only 'POST' file upload code?

Richard Gaskin ambassador at fourthworld.com
Fri May 22 11:40:34 EDT 2015


J. Landman Gay wrote:

 > I use that to talk to servers but does that work with files? Don't
 > you need credentials or something?

Yes, POST covers the client side.  For the server side this tutorial 
shows how to extract that incoming data and write it to a file:
<http://lessons.runrev.com/m/4070/l/40708-how-to-upload-a-file-with-livecode-server>

Not covered there are authentication and sanitizing, the specific of 
which may depend on the particulars of the application.

Authentication is broad and no one agrees on a "best" way, so I'll leave 
that alone. ;)

For sanitizing, any files uploaded in my own apps are designated for 
specific folders, so I disallow all "/" in the file name.  Without that 
it may be possible to write files in the web root, and if what's written 
is a PHP file or even an LC file it may contain instructions to allow 
control of the server, executable from anywhere on the 'net.

Further sanitizing may be useful depending on where the file data goes 
and what will be done with it.

This list of security tips for handling incoming form data may be helpful:

Why File Upload Forms are a Major Security Threat
<https://www.acunetix.com/websitesecurity/upload-forms-threat/>

Cases 4 and 5 there were especially interesting to me, as I learned only 
recently about the exposure that can happen with a file named something 
like "file.php.123" being interpreted as a PHP file and executed.

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com




More information about the use-livecode mailing list