Question: Limiting Filetypes Uploaded

[prev] [thread] [next] [Date index for 2005/03/01]

I'm in need of a 'good' method to limit files uploaded via mod_perl2 ( 
to photos of gif/jpg/png 100k or less)

How have others approached this?  I haven't found much on the subject  
(and it took me FOREVER to figure out that i needed to use 
Apache::Upload() for mp2!)

With the test code below, i've noticed some interesting things:
	1- depending on the browser, if $req{POST_MAX} or the form 
MAX_FILE_SIZE is exceeded, nothing can happen.  this is a browser 
crappiness issue, correct?
	1b - if the POST_MAX is exceeded, is it possible to find out that this 
happened and act appropriately on it?
	2 - i've noticed a type of "image/jpeg"  "image/gif"   "image/png" for 
uploaded file types.  can this be relied on to any extent?

Right now, I'm thinking the following validation process - is this too 
much, or too little?:
	stage 1,  accept the file if the 'type' is image/jpeg image/gif 
image/png
	stage 2, accept the file if the extension is ok (png/jpg/jpeg/gif) and 
it matches the filetype
	stage 3, (is this needed, or is this previously done to get the type 
?) read the beginning of the file to make sure that it is a valid image

I'm also a little unsure of saving the file.  Right now, I'm going to 
save to disk, but in the future i may want to do this via Danga's 
MogileFS
In either situation, there seems to be far too many options on how to 
do this!
Can anyone suggest what would be the more appropriate?
	a - rename $upload->tempname() to the destination ( is $upload->link a 
safe way of doing this?  or does upload->link create a new link and 
leave the tmpfile?)
	b - $upload->slurp($contents); write $contents to a file/object
	c - read $upload->fh, $fh_data, $size; write $fh_data to file/object
	d - do something with io that i dont understand


So far
--------
handler:
	use Apache::Upload(); #required to access upload in mp2
	my 		$r		= shift;
	my 		$req 	= Apache::Request->new( $r , DISABLE_UPLOADS=>0, 
POST_MAX=>100000 );

--------
upload page html
	<form action="" method="POST" name="pForm" id="pForm" 
enctype="multipart/form-data">
	<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
	<input id="photo" type="file" name="photo" /> <br />
	Use a GIF, JPG, or PNG file (maximum size of 100KB)
	<input type="submit" name="submit" value="Upload">

--------
upload page perl
	my $upload = $this->{'User'}{'ApacheRequest'}->upload("photo");
		my $filename 	= $upload->filename;
		my $filehandle 	= $upload->fh;
		my $size 		= $upload->size;
		my $type 		= $upload->type;
		my $info 		= $upload->info;
		DEBUG >0 && print STDERR "\n";
		DEBUG >0 && print STDERR "clientside filename 	- 
'$filename'\n";		DEBUG >0 && print STDERR "size 				- '$size'\n";
		DEBUG >0 && print STDERR "spool filehandle 	- '$filehandle'\n";
		DEBUG >0 && print STDERR "type 				- '$type'\n";		while 
(my($hdr_name, $hdr_value) = each %$info)
		{
		print STDERR "info 			- '$hdr_name',''\n";			}