Web-based forms are nothing new to most webmasters. In fact, forms that utilize
form-to-email gateways, such as Internet Connection's MailForm,
are quite commonly used as a way to gather information from the visitors
to a website. However, some cases may arise where the information that you
want to receive through your form cannot be provided in a text input field--sometimes
you may want to allow the people filling out your forms to send you information
in a file.
However, this sort of HTTP-based uploading, where anonymous users have write permissions on your account, can create security vulnerabilities. A malicous user could theoretically abuse a HTTP-based upload system a number of ways:
- by uploading several gigabytes of files, using up disk space which causes problems for not only your own site, but also all other sites on the server
- by uploading and executing files containing code designed to cause harm to your files or the server
The UploadForm package solves this by providing a secure way for you to allow your visitors to upload files to your site.
Here are some examples where a HTTP-based upload system, like UploadForm, could be used:
- accept resume submissions (.doc, .txt, .html files)
- allow members of a discussion board to submit images that they can include in their posts
- build a dynamic family album where family members can upload photographs that can be included into HTML pages via a CGI script
Linux customers install UploadForm through the Package Installer section of your netConsole. Just select "uploadform" from the drop-down menu and click the install button.
If you are a Windows 2000 customer, first download the UploadForm package, then upload the contents of the .zip file to your account on the server. Next, create the directory/directories that files will be uploaded to. Finally, notify Internet Connection Support of the path and the name of the directory/directories so that we may set the correct permissions for them.
As mentioned above, an ill-conceived HTTP-based upload system will pose a security threat to both your website and possibly the server that it's hosted on. To lessen this threat, UploadForm has options, modified through a configuration file, that reduce the possibility that the UploadForm could be abused. The configuration file that contains these security-related options, as well as the other options, is called options.inc. If you are a Linux hosting client, options.inc will be located in your cgi-bin. If you are a Windows 2000 client, you get to choose the location of options.inc and the other UploadForm-related files.
File Number Restriction
This option allows you to specify the number file upload fields displayed on your form. This allows you to limit the number of files users may simultaneously upload. In the lines below, the script has been left to it's default, 3. If were to modify this, the number you set it to will be the number of file upload fields displayed on the form.
06 07 08 09
' You can allow several uploads at-a-time; the default is three, ' but you can increase or decrease this to your liking. ' 'Accept 3
File Size Restriction
This option allows you to specify the maximum file size for each file uploaded.
12 13 14 15
' This sets the maximum limit of file-upload size to 5MB ' The value is in bytes and can be computed as 1024B=1KB, 1024KB=1MB ' Thus, 5MB = 5242880 bytes Limit 5242880
This option is where you specify the directory or directories that you want to allow users to upload files to. You must create your area(s) and specify the paths to them in the options.inc file before using the script. Windows 2000 customers must notify Internet Connection Support of the path and the name of the directory/directories so that we may set the correct permissions for them.
The paths specified in options.inc are relative to your webshare (unix) or html (Windows 2000) directory. For example, if you created a directory called "uploads" in webshare, the path would be "/uploads/" not "/webshare/uploads/".
18 19 20 21 22 23 24 25 26
' This is a list of "areas" that support upload ' the first area listed is the DEFAULT area in the list ' ' These are Virtual directories, so they must already exist ' and please remember to make sure IIS cannot Script or Execute ' anything in these directories... ' Area "Default Area", "/uploads/" Area "Project X", "/uploads/projectx/"
File Type Restriction
This option allows you to specify what types of files, by extension, can be uploaded. In the example below, we only want to accept Microsoft Word documents.
36 37 38 39
' Note that "txt" files are always allowed; this is because if the client does ' not specify an extension, we will supply them with a .txt one automatically. ' Allow doc
Other Non-Configurable FeaturesIn addition to the configurable features that make UploadForm secure, the package will not allow users to upload executable files and scripts.
UploadForm also offers Filename Collision Protection by giving each newly-uploaded file a unique name. This prevents accidental overwriting by multiple users uploading a file of the same name.This can be circumvented by users if they desire. They simply have to name the file to be uploaded the same name as a file already on the server and check the "Replace File" box on the form.
UploadForm In UseAs you may have guessed, there are an unlimited number of uses for the UploadForm package. Here are a few more ideas on how it can used and combined with other packages and features of your site:
- Combine ezSecure, a package that allows you to password-protect directories, with UploadForm to create a members/employees/etc. -only area for uploading files.
- Use Server Side Includes (SSI) and a Perl/PHP/ASP to build a dynamic gallery where artists can share digital copies of their work.
- Use Perl (or PHP), UploadForm, and MySQL/SQLite to create a web-based document authoring area.
- Create a free for all upload area and use cron to schedule one or more Perl or shell scripts to manage the area.